diff options
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ah_var.h | 9 | ||||
-rw-r--r-- | sys/netipsec/esp_var.h | 6 | ||||
-rw-r--r-- | sys/netipsec/ipcomp_var.h | 6 | ||||
-rw-r--r-- | sys/netipsec/ipip_var.h | 8 | ||||
-rw-r--r-- | sys/netipsec/ipsec.c | 244 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 52 | ||||
-rw-r--r-- | sys/netipsec/ipsec6.h | 19 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 7 | ||||
-rw-r--r-- | sys/netipsec/ipsec_mbuf.c | 5 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 9 | ||||
-rw-r--r-- | sys/netipsec/key.c | 209 | ||||
-rw-r--r-- | sys/netipsec/key_debug.c | 2 | ||||
-rw-r--r-- | sys/netipsec/key_debug.h | 3 | ||||
-rw-r--r-- | sys/netipsec/keysock.c | 23 | ||||
-rw-r--r-- | sys/netipsec/keysock.h | 8 | ||||
-rw-r--r-- | sys/netipsec/vipsec.h | 184 | ||||
-rw-r--r-- | sys/netipsec/xform_ah.c | 54 | ||||
-rw-r--r-- | sys/netipsec/xform_esp.c | 57 | ||||
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 39 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 40 | ||||
-rw-r--r-- | sys/netipsec/xform_tcp.c | 3 |
21 files changed, 274 insertions, 713 deletions
diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h index 5a8c06e..974cc6c 100644 --- a/sys/netipsec/ah_var.h +++ b/sys/netipsec/ah_var.h @@ -71,8 +71,11 @@ struct ahstat { }; #ifdef _KERNEL -extern int ah_enable; -extern int ah_cleartos; -extern struct ahstat ahstat; +VNET_DECLARE(int, ah_enable); +#define V_ah_enable VNET_GET(ah_enable) +VNET_DECLARE(int, ah_cleartos); +#define V_ah_cleartos VNET_GET(ah_cleartos) +VNET_DECLARE(struct ahstat, ahstat); +#define V_ahstat VNET_GET(ahstat) #endif /* _KERNEL */ #endif /*_NETIPSEC_AH_VAR_H_*/ diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h index 278b996..66fcd39 100644 --- a/sys/netipsec/esp_var.h +++ b/sys/netipsec/esp_var.h @@ -72,7 +72,9 @@ struct espstat { }; #ifdef _KERNEL -extern int esp_enable; -extern struct espstat espstat; +VNET_DECLARE(int, esp_enable); +#define V_esp_enable VNET_GET(esp_enable) +VNET_DECLARE(struct espstat, espstat); +#define V_espstat VNET_GET(espstat) #endif /* _KERNEL */ #endif /*_NETIPSEC_ESP_VAR_H_*/ diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h index 6a506bb..d70c6a2 100644 --- a/sys/netipsec/ipcomp_var.h +++ b/sys/netipsec/ipcomp_var.h @@ -61,7 +61,9 @@ struct ipcompstat { }; #ifdef _KERNEL -extern int ipcomp_enable; -extern struct ipcompstat ipcompstat; +VNET_DECLARE(int, ipcomp_enable); +#define V_ipcomp_enable VNET_GET(ipcomp_enable) +VNET_DECLARE(struct ipcompstat, ipcompstat); +#define V_ipcompstat VNET_GET(ipcompstat) #endif /* _KERNEL */ #endif /*_NETIPSEC_IPCOMP_VAR_H_*/ diff --git a/sys/netipsec/ipip_var.h b/sys/netipsec/ipip_var.h index 3d4ee15..a620b72 100644 --- a/sys/netipsec/ipip_var.h +++ b/sys/netipsec/ipip_var.h @@ -59,9 +59,9 @@ struct ipipstat }; #ifdef _KERNEL -extern int ipip_allow; -#ifdef VIMAGE_GLOBALS -extern struct ipipstat ipipstat; -#endif +VNET_DECLARE(int, ipip_allow); +#define V_ipip_allow VNET_GET(ipip_allow) +VNET_DECLARE(struct ipipstat, ipipstat); +#define V_ipipstat VNET_GET(ipipstat) #endif /* _KERNEL */ #endif /* _NETINET_IPIP_H_ */ diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index dabd5b6..4a7001e 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -57,6 +57,7 @@ #include <net/if.h> #include <net/route.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -97,30 +98,25 @@ #include <opencrypto/cryptodev.h> -#ifndef VIMAGE -#ifndef VIMAGE_GLOBALS -struct vnet_ipsec vnet_ipsec_0; -#endif -#endif - -static int ipsec_iattach(const void *); -#ifdef VIMAGE -static int ipsec_idetach(const void *); +#ifdef IPSEC_DEBUG +VNET_DEFINE(int, ipsec_debug) = 1; +#else +VNET_DEFINE(int, ipsec_debug) = 0; #endif - -#ifdef VIMAGE_GLOBALS /* NB: name changed so netstat doesn't use it. */ -struct ipsecstat ipsec4stat; -struct secpolicy ip4_def_policy; -int ipsec_debug; -int ip4_ah_offsetmask; -int ip4_ipsec_dfbit; -int ip4_esp_trans_deflev; -int ip4_esp_net_deflev; -int ip4_ah_trans_deflev; -int ip4_ah_net_deflev; -int ip4_ipsec_ecn; -int ip4_esp_randpad; +VNET_DEFINE(struct ipsecstat, ipsec4stat); +VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */ +/* DF bit on encap. 0: clear 1: set 2: copy */ +VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; +VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(struct secpolicy, ip4_def_policy); +/* ECN ignore(-1)/forbidden(0)/allowed(1) */ +VNET_DEFINE(int, ip4_ipsec_ecn) = 0; +VNET_DEFINE(int, ip4_esp_randpad) = -1; + /* * Crypto support requirements: * @@ -128,80 +124,74 @@ int ip4_esp_randpad; * -1 require software support * 0 take anything */ -int crypto_support; -#endif /* VIMAGE_GLOBALS */ +VNET_DEFINE(int, crypto_support) = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; SYSCTL_DECL(_net_inet_ipsec); /* net.inet.ipsec */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, + CTLFLAG_RW, &VNET_NAME(ip4_def_policy).policy, 0, "IPsec default policy."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, - esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_esp_trans_deflev), 0, "Default ESP transport mode level"); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, - esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_esp_net_deflev), 0, "Default ESP tunnel mode level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, - ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_ah_trans_deflev), 0, "AH transfer mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, - ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, + CTLFLAG_RW, &VNET_NAME(ip4_ah_net_deflev), 0, "AH tunnel mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS, - ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, + CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "If set clear type-of-service field when doing AH computation."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, - ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, + CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, "If not set clear offset field mask when doing AH computation."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT, - dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit, + CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0, "Do not fragment bit on encap."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN, - ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn, + CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0, "Explicit Congestion Notification handling."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, ipsec_debug, 0, +SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug, + CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, "Enable IPsec debugging output when set."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, - crypto_support, CTLFLAG_RW, crypto_support,0, +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, crypto_support, + CTLFLAG_RW, &VNET_NAME(crypto_support), 0, "Crypto driver selection."); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, - ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, +SYSCTL_VNET_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats, + CTLFLAG_RD, &VNET_NAME(ipsec4stat), ipsecstat, "IPsec IPv4 statistics."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, - filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel, 0, - "If set filter packets from an IPsec tunnel."); #ifdef REGRESSION -#ifdef VIMAGE_GLOBALS -int ipsec_replay; -int ipsec_integrity; -#endif /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. */ -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, - CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); +VNET_DEFINE(int, ipsec_replay) = 0; +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_replay, + CTLFLAG_RW, &VNET_NAME(ipsec_replay), 0, + "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, - CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); +VNET_DEFINE(int, ipsec_integrity) = 0; +SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_integrity, + CTLFLAG_RW, &VNET_NAME(ipsec_integrity), 0, + "Emulate man-in-the-middle attack"); #endif #ifdef INET6 -#ifdef VIMAGE_GLOBALS -struct ipsecstat ipsec6stat; -int ip6_esp_trans_deflev; -int ip6_esp_net_deflev; -int ip6_ah_trans_deflev; -int ip6_ah_net_deflev; -int ip6_ipsec_ecn; -#endif +VNET_DEFINE(struct ipsecstat, ipsec6stat); +VNET_DEFINE(int, ip6_esp_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_esp_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE; +VNET_DEFINE(int, ip6_ipsec_ecn) = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ SYSCTL_DECL(_net_inet6_ipsec6); @@ -210,33 +200,30 @@ SYSCTL_DECL(_net_inet6_ipsec6); SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD, 0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics."); #endif /* COMPAT_KAME */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy, CTLFLAG_RW, + &VNET_NAME(ip4_def_policy).policy, 0, "IPsec default policy."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, - esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, + esp_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_trans_deflev), 0, "Default ESP transport mode level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, - esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, + esp_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_net_deflev), 0, "Default ESP tunnel mode level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, - ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, + ah_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_trans_deflev), 0, "AH transfer mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, - ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, + ah_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_net_deflev), 0, "AH tunnel mode default level."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN, - ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_ECN, + ecn, CTLFLAG_RW, &VNET_NAME(ip6_ipsec_ecn), 0, "Explicit Congestion Notification handling."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, ipsec_debug, 0, +SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_RW, + &VNET_NAME(ipsec_debug), 0, "Enable IPsec debugging output when set."); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, - ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, +SYSCTL_VNET_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, + ipsecstats, CTLFLAG_RD, &VNET_NAME(ipsec6stat), ipsecstat, "IPsec IPv6 statistics."); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO, - filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel, 0, - "If set filter packets from an IPsec tunnel."); #endif /* INET6 */ static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *)); @@ -253,72 +240,22 @@ static void vshiftl __P((unsigned char *, int, int)); MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); -#ifndef VIMAGE_GLOBALS +static int ipsec_iattach(const void *); +#ifdef VIMAGE static const vnet_modinfo_t vnet_ipsec_modinfo = { .vmi_id = VNET_MOD_IPSEC, .vmi_name = "ipsec", - .vmi_size = sizeof(struct vnet_ipsec), .vmi_dependson = VNET_MOD_INET, /* XXX revisit - INET6 ? */ .vmi_iattach = ipsec_iattach, -#ifdef VIMAGE - .vmi_idetach = ipsec_idetach -#endif }; -#endif /* !VIMAGE_GLOBALS */ - -void -ipsec_init(void) -{ - INIT_VNET_IPSEC(curvnet); - -#ifdef IPSEC_DEBUG - V_ipsec_debug = 1; -#else - V_ipsec_debug = 0; #endif - V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ - V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ - V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; - V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; - V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; - V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; - V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ - V_ip4_esp_randpad = -1; -#ifdef IPSEC_FILTERTUNNEL - V_ip4_ipsec_filtertunnel = 1; -#else - V_ip4_ipsec_filtertunnel = 0; -#endif - - V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; - -#ifdef REGRESSION - V_ipsec_replay = 0; - V_ipsec_integrity = 0; -#endif - -#ifdef INET6 - V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; - V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; - V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; - V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; - V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -#ifdef IPSEC_FILTERTUNNEL - V_ip6_ipsec6_filtertunnel = 1; -#else - V_ip6_ipsec6_filtertunnel = 0; -#endif -#endif -} - /* * Return a held reference to the default SP. */ static struct secpolicy * key_allocsp_default(const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; KEYDEBUG(KEYDEBUG_IPSEC_STAMP, @@ -384,7 +321,6 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir) static struct secpolicy * ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) { - INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *pcbsp; struct secpolicy *currsp = NULL; /* Policy on socket. */ struct secpolicy *sp; @@ -482,7 +418,6 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) { - INIT_VNET_IPSEC(curvnet); struct secpolicyindex spidx; struct secpolicy *sp; @@ -515,7 +450,6 @@ struct secpolicy * ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; *error = 0; @@ -587,7 +521,6 @@ ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp) static int ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) { - INIT_VNET_IPSEC(curvnet); struct ip *ip = NULL; struct ip ipbuf; u_int v; @@ -778,7 +711,6 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) { - INIT_VNET_IPSEC(curvnet); int off, nxt; struct tcphdr th; struct udphdr uh; @@ -891,7 +823,6 @@ ipsec_delpcbpolicy(struct inpcbpolicy *p) int ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp) { - INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *new; /* Sanity check. */ @@ -1030,7 +961,6 @@ static int ipsec_set_policy_internal(struct secpolicy **pcb_sp, int optname, caddr_t request, size_t len, struct ucred *cred) { - INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *newsp = NULL; int error; @@ -1079,7 +1009,6 @@ int ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len, struct ucred *cred) { - INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy **pcb_sp; @@ -1111,7 +1040,6 @@ int ipsec_get_policy(struct inpcb *inp, caddr_t request, size_t len, struct mbuf **mp) { - INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *pcb_sp; @@ -1182,7 +1110,6 @@ ipsec_delete_pcbpolicy(struct inpcb *inp) u_int ipsec_get_reqlevel(struct ipsecrequest *isr) { - INIT_VNET_IPSEC(curvnet); u_int level = 0; u_int esp_trans_deflev, esp_net_deflev; u_int ah_trans_deflev, ah_net_deflev; @@ -1287,7 +1214,6 @@ ipsec_get_reqlevel(struct ipsecrequest *isr) int ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) { - INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; int need_auth; @@ -1390,7 +1316,6 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) int ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); int result; result = ipsec46_in_reject(m, inp); @@ -1409,7 +1334,6 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) int ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); int result; result = ipsec46_in_reject(m, inp); @@ -1428,7 +1352,6 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) static size_t ipsec_hdrsiz_internal(struct secpolicy *sp) { - INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; size_t size; @@ -1491,7 +1414,6 @@ ipsec_hdrsiz_internal(struct secpolicy *sp) size_t ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; size_t size; @@ -1591,7 +1513,6 @@ ipsec_chkreplay(u_int32_t seq, struct secasvar *sav) int ipsec_updatereplay(u_int32_t seq, struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); struct secreplay *replay; u_int32_t diff; int fr; @@ -1791,10 +1712,10 @@ ipsec_dumpmbuf(struct mbuf *m) } static void -ipsec_attach(void) +ipsec_attach(const void *unused __unused) { -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE vnet_mod_register(&vnet_ipsec_modinfo); #else ipsec_iattach(NULL); @@ -1804,7 +1725,6 @@ ipsec_attach(void) static int ipsec_iattach(const void *unused __unused) { - INIT_VNET_IPSEC(curvnet); SECPOLICY_LOCK_INIT(&V_ip4_def_policy); V_ip4_def_policy.refcnt = 1; /* NB: disallow free. */ @@ -1812,16 +1732,6 @@ ipsec_iattach(const void *unused __unused) return (0); } -#ifdef VIMAGE -static int -ipsec_idetach(const void *unused __unused) -{ - - /* XXX revisit this! */ - - return (0); -} -#endif SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index c869ec8..03df7bc 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -332,25 +332,40 @@ struct ipsec_history { u_int32_t ih_spi; }; -extern int ipsec_debug; -#ifdef REGRESSION -extern int ipsec_replay; -extern int ipsec_integrity; -#endif +VNET_DECLARE(int, ipsec_debug); +#define V_ipsec_debug VNET_GET(ipsec_debug) +VNET_DECLARE(struct ipsecstat, ipsec4stat); +#define V_ipsec4stat VNET_GET(ipsec4stat) +VNET_DECLARE(int, ip4_ah_offsetmask); +#define V_ip4_ah_offsetmask VNET_GET(ip4_ah_offsetmask) +VNET_DECLARE(int, ip4_ipsec_dfbit); +#define V_ip4_ipsec_dfbit VNET_GET(ip4_ipsec_dfbit) +VNET_DECLARE(int, ip4_esp_trans_deflev); +#define V_ip4_esp_trans_deflev VNET_GET(ip4_esp_trans_deflev) +VNET_DECLARE(int, ip4_esp_net_deflev); +#define V_ip4_esp_net_deflev VNET_GET(ip4_esp_net_deflev) +VNET_DECLARE(int, ip4_ah_trans_deflev); +#define V_ip4_ah_trans_deflev VNET_GET(ip4_ah_trans_deflev) +VNET_DECLARE(int, ip4_ah_net_deflev); +#define V_ip4_ah_net_deflev VNET_GET(ip4_ah_net_deflev) +VNET_DECLARE(struct secpolicy, ip4_def_policy); +#define V_ip4_def_policy VNET_GET(ip4_def_policy) +VNET_DECLARE(int, ip4_ipsec_ecn); +#define V_ip4_ipsec_ecn VNET_GET(ip4_ipsec_ecn) +VNET_DECLARE(int, ip4_esp_randpad); +#define V_ip4_esp_randpad VNET_GET(ip4_esp_randpad) + +VNET_DECLARE(int, crypto_support); +#define V_crypto_support VNET_GET(crypto_support) -extern struct ipsecstat ipsec4stat; -extern struct secpolicy ip4_def_policy; -extern int ip4_esp_trans_deflev; -extern int ip4_esp_net_deflev; -extern int ip4_ah_trans_deflev; -extern int ip4_ah_net_deflev; extern int ip4_ah_cleartos; -extern int ip4_ah_offsetmask; -extern int ip4_ipsec_dfbit; -extern int ip4_ipsec_ecn; -extern int ip4_ipsec_filtertunnel; -extern int ip4_esp_randpad; -extern int crypto_support; + +#ifdef REGRESSION +VNET_DECLARE(int, ipsec_replay); +#define V_ipsec_replay VNET_GET(ipsec_replay) +VNET_DECLARE(int, ipsec_integrity); +#define V_ipsec_integrity VNET_GET(ipsec_integrity) +#endif #define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0) /* for openbsd compatibility */ @@ -360,7 +375,6 @@ extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; -extern void ipsec_init(void); extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int)); struct inpcb; extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int, @@ -434,8 +448,6 @@ extern char *ipsec_dump_policy __P((caddr_t, char *)); extern const char *ipsec_strerror __P((void)); -#else -#include <netipsec/vipsec.h> #endif /* ! KERNEL */ #endif /* _NETIPSEC_IPSEC_H_ */ diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h index 2f49463..a04cbec 100644 --- a/sys/netipsec/ipsec6.h +++ b/sys/netipsec/ipsec6.h @@ -41,13 +41,18 @@ #include <netipsec/keydb.h> #ifdef _KERNEL -extern struct ipsecstat ipsec6stat; -extern int ip6_esp_trans_deflev; -extern int ip6_esp_net_deflev; -extern int ip6_ah_trans_deflev; -extern int ip6_ah_net_deflev; -extern int ip6_ipsec_ecn; -extern int ip6_ipsec6_filtertunnel; +VNET_DECLARE(struct ipsecstat, ipsec6stat); +#define V_ipsec6stat VNET_GET(ipsec6stat) +VNET_DECLARE(int, ip6_esp_trans_deflev); +#define V_ip6_esp_trans_deflev VNET_GET(ip6_esp_trans_deflev) +VNET_DECLARE(int, ip6_esp_net_deflev); +#define V_ip6_esp_net_deflev VNET_GET(ip6_esp_net_deflev) +VNET_DECLARE(int, ip6_ah_trans_deflev); +#define V_ip6_ah_trans_deflev VNET_GET(ip6_ah_trans_deflev) +VNET_DECLARE(int, ip6_ah_net_deflev); +#define V_ip6_ah_net_deflev VNET_GET(ip6_ah_net_deflev) +VNET_DECLARE(int, ip6_ipsec_ecn); +#define V_ip6_ipsec_ecn VNET_GET(ip6_ipsec_ecn) struct inpcb; diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 4ec169b..78f023a 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -60,6 +60,7 @@ #include <net/pfil.h> #include <net/route.h> #include <net/netisr.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -74,7 +75,6 @@ #include <netinet/in_pcb.h> #ifdef INET6 #include <netinet/icmp6.h> -#include <netinet6/vinet6.h> #endif #include <netipsec/ipsec.h> @@ -116,7 +116,6 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { - INIT_VNET_IPSEC(curvnet); union sockaddr_union dst_address; struct secasvar *sav; u_int32_t spi; @@ -295,7 +294,6 @@ int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { - INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip *ip; struct m_tag *mtag; @@ -518,7 +516,6 @@ ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto) int ipsec6_common_input(struct mbuf **mp, int *offp, int proto) { - INIT_VNET_IPSEC(curvnet); int l = 0; int protoff; struct ip6_ext ip6e; @@ -569,8 +566,6 @@ int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { - INIT_VNET_INET6(curvnet); - INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip6_hdr *ip6; struct m_tag *mtag; diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index d813c92..1b92881 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -39,6 +39,8 @@ #include <sys/vimage.h> #include <net/route.h> +#include <net/vnet.h> + #include <netinet/in.h> #include <netipsec/ipsec.h> @@ -54,7 +56,6 @@ struct mbuf * m_makespace(struct mbuf *m0, int skip, int hlen, int *off) { - INIT_VNET_IPSEC(curvnet); struct mbuf *m; unsigned remain; @@ -158,7 +159,6 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) caddr_t m_pad(struct mbuf *m, int n) { - INIT_VNET_IPSEC(curvnet); register struct mbuf *m0, *m1; register int len, pad; caddr_t retval; @@ -231,7 +231,6 @@ m_pad(struct mbuf *m, int n) int m_striphdr(struct mbuf *m, int skip, int hlen) { - INIT_VNET_IPSEC(curvnet); struct mbuf *m1; int roff; diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index b953786..f689fb2 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -47,6 +47,7 @@ #include <net/if.h> #include <net/pfil.h> #include <net/route.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -65,7 +66,6 @@ #include <netinet/in_pcb.h> #ifdef INET6 #include <netinet/icmp6.h> -#include <netinet6/vinet6.h> #endif #include <netipsec/ipsec.h> @@ -96,7 +96,6 @@ int ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) { - INIT_VNET_IPSEC(curvnet); struct tdb_ident *tdbi; struct m_tag *mtag; struct secasvar *sav; @@ -264,7 +263,6 @@ ipsec_nextisr( { #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \ isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++) - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; IPSECREQUEST_LOCK_ASSERT(isr); @@ -408,7 +406,6 @@ ipsec4_process_packet( int flags, int tunalready) { - INIT_VNET_IPSEC(curvnet); struct secasindex saidx; struct secasvar *sav; struct ip *ip; @@ -622,7 +619,6 @@ ipsec6_output_trans( int flags, int *tun) { - INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; struct secasindex saidx; int error = 0; @@ -690,7 +686,6 @@ bad: static int ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); struct ip6_hdr *oip6; struct ip6_hdr *ip6; size_t plen; @@ -760,8 +755,6 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) int ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags) { - INIT_VNET_INET6(curvnet); - INIT_VNET_IPSEC(curvnet); struct ip6_hdr *ip6; struct ipsecrequest *isr; struct secasindex saidx; diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 3dc6878..07a5945 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -61,6 +61,7 @@ #include <net/if.h> #include <net/route.h> #include <net/raw_cb.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -75,11 +76,9 @@ #ifdef INET #include <netinet/in_pcb.h> -#include <netinet/vinet.h> #endif #ifdef INET6 #include <netinet6/in6_pcb.h> -#include <netinet6/vinet6.h> #endif /* INET6 */ #include <net/pfkeyv2.h> @@ -99,7 +98,6 @@ /* randomness */ #include <sys/random.h> -#include <sys/vimage.h> #define FULLMASK 0xff #define _BITS(bytes) ((bytes) << 3) @@ -115,31 +113,37 @@ * field hits 0 (= no external reference other than from SA header. */ -#ifdef VIMAGE_GLOBALS -u_int32_t key_debug_level; -static u_int key_spi_trycnt; -static u_int32_t key_spi_minval; -static u_int32_t key_spi_maxval; -static u_int32_t policy_id; -static u_int key_int_random; -static u_int key_larval_lifetime; -static int key_blockacq_count; -static int key_blockacq_lifetime; -static int key_preferred_oldsa; - -static u_int32_t acq_seq; - -static int ipsec_esp_keymin; -static int ipsec_esp_auth; -static int ipsec_ah_keymin; - -static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */ -static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ -static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; -static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ -static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ -#endif /* VIMAGE_GLOBALS */ - +VNET_DEFINE(u_int32_t, key_debug_level) = 0; +static VNET_DEFINE(u_int, key_spi_trycnt) = 1000; +#define V_key_spi_trycnt VNET_GET(key_spi_trycnt) +static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100; +#define V_key_spi_minval VNET_GET(key_spi_minval) +static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ +#define V_key_spi_maxval VNET_GET(key_spi_maxval) +static VNET_DEFINE(u_int32_t, policy_id) = 0; +#define V_policy_id VNET_GET(policy_id) +/*interval to initialize randseed,1(m)*/ +static VNET_DEFINE(u_int, key_int_random) = 60; +#define V_key_int_random VNET_GET(key_int_random) +/* interval to expire acquiring, 30(s)*/ +static VNET_DEFINE(u_int, key_larval_lifetime) = 30; +#define V_key_larval_lifetime VNET_GET(key_larval_lifetime) +/* counter for blocking SADB_ACQUIRE.*/ +static VNET_DEFINE(int, key_blockacq_count) = 10; +#define V_key_blockacq_count VNET_GET(key_blockacq_count) +/* lifetime for blocking SADB_ACQUIRE.*/ +static VNET_DEFINE(int, key_blockacq_lifetime) = 20; +#define V_key_blockacq_lifetime VNET_GET(key_blockacq_lifetime) +/* preferred old sa rather than new sa.*/ +static VNET_DEFINE(int, key_preferred_oldsa) = 1; +#define V_key_preferred_oldsa VNET_GET(key_preferred_oldsa) + +static VNET_DEFINE(u_int32_t, acq_seq) = 0; +#define V_acq_seq VNET_GET(acq_seq) + + /* SPD */ +static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]); +#define V_sptree VNET_GET(sptree) static struct mtx sptree_lock; #define SPTREE_LOCK_INIT() \ mtx_init(&sptree_lock, "sptree", \ @@ -149,6 +153,8 @@ static struct mtx sptree_lock; #define SPTREE_UNLOCK() mtx_unlock(&sptree_lock) #define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED) +static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */ +#define V_sahtree VNET_GET(sahtree) static struct mtx sahtree_lock; #define SAHTREE_LOCK_INIT() \ mtx_init(&sahtree_lock, "sahtree", \ @@ -159,6 +165,8 @@ static struct mtx sahtree_lock; #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) /* registed list */ +static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); +#define V_regtree VNET_GET(regtree) static struct mtx regtree_lock; #define REGTREE_LOCK_INIT() \ mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) @@ -167,6 +175,8 @@ static struct mtx regtree_lock; #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) +static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */ +#define V_acqtree VNET_GET(acqtree) static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) @@ -175,6 +185,9 @@ static struct mtx acq_lock; #define ACQ_UNLOCK() mtx_unlock(&acq_lock) #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) + /* SP acquiring list */ +static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree); +#define V_spacqtree VNET_GET(spacqtree) static struct mtx spacq_lock; #define SPACQ_LOCK_INIT() \ mtx_init(&spacq_lock, "spacqtree", \ @@ -257,56 +270,63 @@ static const int maxsize[] = { sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ }; +static VNET_DEFINE(int, ipsec_esp_keymin) = 256; +#define V_ipsec_esp_keymin VNET_GET(ipsec_esp_keymin) +static VNET_DEFINE(int, ipsec_esp_auth) = 0; +#define V_ipsec_esp_auth VNET_GET(ipsec_esp_auth) +static VNET_DEFINE(int, ipsec_ah_keymin) = 128; +#define V_ipsec_ah_keymin VNET_GET(ipsec_ah_keymin) + #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); #endif -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL, debug, - CTLFLAG_RW, key_debug_level, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, + CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, ""); /* max count of trial for the decision of spi value */ -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt, - CTLFLAG_RW, key_spi_trycnt, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, + CTLFLAG_RW, &VNET_NAME(key_spi_trycnt), 0, ""); /* minimum spi value to allocate automatically. */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE, - spi_minval, CTLFLAG_RW, key_spi_minval, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE, + spi_minval, CTLFLAG_RW, &VNET_NAME(key_spi_minval), 0, ""); /* maximun spi value to allocate automatically. */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE, - spi_maxval, CTLFLAG_RW, key_spi_maxval, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE, + spi_maxval, CTLFLAG_RW, &VNET_NAME(key_spi_maxval), 0, ""); /* interval to initialize randseed */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT, - int_random, CTLFLAG_RW, key_int_random, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT, + int_random, CTLFLAG_RW, &VNET_NAME(key_int_random), 0, ""); /* lifetime for larval SA */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME, - larval_lifetime, CTLFLAG_RW, key_larval_lifetime, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME, + larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime), 0, ""); /* counter for blocking to send SADB_ACQUIRE to IKEd */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT, - blockacq_count, CTLFLAG_RW, key_blockacq_count, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, + blockacq_count, CTLFLAG_RW, &VNET_NAME(key_blockacq_count), 0, ""); /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME, - blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, + blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, ""); /* ESP auth */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH, esp_auth, - CTLFLAG_RW, ipsec_esp_auth, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, + CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth), 0, ""); /* minimum ESP key length */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN, - esp_keymin, CTLFLAG_RW, ipsec_esp_keymin, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN, + esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin), 0, ""); /* minimum AH key length */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN, ah_keymin, - CTLFLAG_RW, ipsec_ah_keymin, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, + CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin), 0, ""); /* perfered old SA rather than new SA */ -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA, - preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa, 0, ""); +SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA, + preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa), 0, ""); #define __LIST_CHAINED(elm) \ (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) @@ -579,7 +599,6 @@ key_addref(struct secpolicy *sp) int key_havesp(u_int dir) { - INIT_VNET_IPSEC(curvnet); return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? LIST_FIRST(&V_sptree[dir]) != NULL : 1); @@ -595,7 +614,6 @@ key_havesp(u_int dir) struct secpolicy * key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(spidx != NULL, ("null spidx")); @@ -652,7 +670,6 @@ key_allocsp2(u_int32_t spi, u_int dir, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(dst != NULL, ("null dst")); @@ -715,7 +732,6 @@ key_gettunnel(const struct sockaddr *osrc, const struct sockaddr *idst, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; const int dir = IPSEC_DIR_INBOUND; struct ipsecrequest *r1, *r2, *p; @@ -791,7 +807,6 @@ done: int key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx) { - INIT_VNET_IPSEC(curvnet); u_int level; int error; @@ -887,7 +902,6 @@ static struct secasvar * key_allocsa_policy(const struct secasindex *saidx) { #define N(a) _ARRAYLEN(a) - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int stateidx, arraysize; @@ -935,7 +949,6 @@ key_allocsa_policy(const struct secasindex *saidx) static struct secasvar * key_do_allocsa_policy(struct secashead *sah, u_int state) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav, *nextsav, *candidate, *d; /* initilize */ @@ -1081,7 +1094,6 @@ key_allocsa( u_int32_t spi, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int stateidx, arraysize, state; @@ -1160,7 +1172,6 @@ done: void _key_freesp(struct secpolicy **spp, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp = *spp; IPSEC_ASSERT(sp != NULL, ("null sp")); @@ -1186,7 +1197,6 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag) void key_freeso(struct socket *so) { - INIT_VNET_IPSEC(curvnet); IPSEC_ASSERT(so != NULL, ("null so")); switch (so->so_proto->pr_domain->dom_family) { @@ -1237,7 +1247,6 @@ key_freesp_so(struct secpolicy **sp) void key_freesav(struct secasvar **psav, const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav = *psav; IPSEC_ASSERT(sav != NULL, ("null sav")); @@ -1296,7 +1305,6 @@ key_delsp(struct secpolicy *sp) static struct secpolicy * key_getsp(struct secpolicyindex *spidx) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(spidx != NULL, ("null spidx")); @@ -1323,7 +1331,6 @@ key_getsp(struct secpolicyindex *spidx) static struct secpolicy * key_getspbyid(u_int32_t id) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; SPTREE_LOCK(); @@ -1353,7 +1360,6 @@ done: struct secpolicy * key_newsp(const char* where, int tag) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *newsp = NULL; newsp = (struct secpolicy *) @@ -1388,7 +1394,6 @@ key_msg2sp(xpl0, len, error) size_t len; int *error; { - INIT_VNET_IPSEC(curvnet); struct secpolicy *newsp; IPSEC_ASSERT(xpl0 != NULL, ("null xpl0")); @@ -1786,7 +1791,6 @@ key_spdadd(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0, *xpl; struct sadb_lifetime *lft = NULL; @@ -2019,7 +2023,6 @@ key_spdadd(so, m, mhp) static u_int32_t key_getnewspid() { - INIT_VNET_IPSEC(curvnet); u_int32_t newid = 0; int count = V_key_spi_trycnt; /* XXX */ struct secpolicy *sp; @@ -2061,7 +2064,6 @@ key_spddelete(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0; struct secpolicyindex spidx; @@ -2170,7 +2172,6 @@ key_spddelete2(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); u_int32_t id; struct secpolicy *sp; @@ -2263,7 +2264,6 @@ key_spdget(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); u_int32_t id; struct secpolicy *sp; struct mbuf *n; @@ -2315,7 +2315,6 @@ int key_spdacquire(sp) struct secpolicy *sp; { - INIT_VNET_IPSEC(curvnet); struct mbuf *result = NULL, *m; struct secspacq *newspacq; @@ -2378,7 +2377,6 @@ key_spdflush(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secpolicy *sp; u_int dir; @@ -2431,7 +2429,6 @@ key_spddump(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int cnt; u_int dir; @@ -2704,7 +2701,6 @@ static struct secashead * key_newsah(saidx) struct secasindex *saidx; { - INIT_VNET_IPSEC(curvnet); struct secashead *newsah; IPSEC_ASSERT(saidx != NULL, ("null saidx")); @@ -2733,7 +2729,6 @@ static void key_delsah(sah) struct secashead *sah; { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav, *nextsav; u_int stateidx; int zombie = 0; @@ -2795,7 +2790,6 @@ key_newsav(m, mhp, sah, errp, where, tag) const char* where; int tag; { - INIT_VNET_IPSEC(curvnet); struct secasvar *newsav; const struct sadb_sa *xsa; @@ -2962,7 +2956,6 @@ static struct secashead * key_getsah(saidx) struct secasindex *saidx; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; SAHTREE_LOCK(); @@ -2989,7 +2982,6 @@ key_checkspidup(saidx, spi) struct secasindex *saidx; u_int32_t spi; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; @@ -3026,7 +3018,6 @@ key_getsavbyspi(sah, spi) struct secashead *sah; u_int32_t spi; { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; u_int stateidx, state; @@ -3070,7 +3061,6 @@ key_setsaval(sav, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); int error = 0; IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -3306,7 +3296,6 @@ key_setsaval(sav, m, mhp) static int key_mature(struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); int error; /* check SPI value */ @@ -3782,7 +3771,6 @@ key_setsadbxport(u_int16_t port, u_int16_t type) u_int16_t key_portfromsaddr(struct sockaddr *sa) { - INIT_VNET_IPSEC(curvnet); switch (sa->sa_family) { #ifdef INET @@ -3807,7 +3795,6 @@ key_portfromsaddr(struct sockaddr *sa) static void key_porttosaddr(struct sockaddr *sa, u_int16_t port) { - INIT_VNET_IPSEC(curvnet); switch (sa->sa_family) { #ifdef INET @@ -3868,7 +3855,6 @@ struct seckey * key_dup_keymsg(const struct sadb_key *src, u_int len, struct malloc_type *type) { - INIT_VNET_IPSEC(curvnet); struct seckey *dst; dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); if (dst != NULL) { @@ -3902,7 +3888,6 @@ static struct seclifetime * key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type) { - INIT_VNET_IPSEC(curvnet); struct seclifetime *dst = NULL; dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), @@ -3928,7 +3913,6 @@ key_ismyaddr(sa) struct sockaddr *sa; { #ifdef INET - INIT_VNET_INET(curvnet); struct sockaddr_in *sin; struct in_ifaddr *ia; #endif @@ -3976,7 +3960,6 @@ static int key_ismyaddr6(sin6) struct sockaddr_in6 *sin6; { - INIT_VNET_INET6(curvnet); struct in6_ifaddr *ia; #if 0 struct in6_multi *in6m; @@ -4325,7 +4308,6 @@ key_bbcmp(const void *a1, const void *a2, u_int bits) static void key_flush_spd(time_t now) { - INIT_VNET_IPSEC(curvnet); static u_int16_t sptree_scangen = 0; u_int16_t gen = sptree_scangen++; struct secpolicy *sp; @@ -4373,7 +4355,6 @@ restart: static void key_flush_sad(time_t now) { - INIT_VNET_IPSEC(curvnet); struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; @@ -4511,7 +4492,6 @@ key_flush_sad(time_t now) static void key_flush_acq(time_t now) { - INIT_VNET_IPSEC(curvnet); struct secacq *acq, *nextacq; /* ACQ tree */ @@ -4530,7 +4510,6 @@ key_flush_acq(time_t now) static void key_flush_spacq(time_t now) { - INIT_VNET_IPSEC(curvnet); struct secspacq *acq, *nextacq; /* SP ACQ tree */ @@ -4678,7 +4657,6 @@ key_getspi(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *newsah; @@ -4913,7 +4891,6 @@ key_do_getnewspi(spirange, saidx) struct sadb_spirange *spirange; struct secasindex *saidx; { - INIT_VNET_IPSEC(curvnet); u_int32_t newspi; u_int32_t min, max; int count = V_key_spi_trycnt; @@ -4995,7 +4972,6 @@ key_update(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; #ifdef IPSEC_NAT_T @@ -5286,7 +5262,6 @@ key_add(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; #ifdef IPSEC_NAT_T @@ -5501,7 +5476,6 @@ key_setident(sah, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); const struct sadb_ident *idsrc, *iddst; int idsrclen, iddstlen; @@ -5624,7 +5598,6 @@ key_delete(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -5770,7 +5743,6 @@ static int key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp, u_int16_t proto) { - INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; @@ -5894,7 +5866,6 @@ key_get(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -6037,7 +6008,6 @@ key_getcomb_setlifetime(comb) static struct mbuf * key_getcomb_esp() { - INIT_VNET_IPSEC(curvnet); struct sadb_comb *comb; struct enc_xform *algo; struct mbuf *result = NULL, *m, *n; @@ -6116,7 +6086,6 @@ key_getsizes_ah( u_int16_t* min, u_int16_t* max) { - INIT_VNET_IPSEC(curvnet); *min = *max = ah->keysize; if (ah->keysize == 0) { @@ -6142,7 +6111,6 @@ key_getsizes_ah( static struct mbuf * key_getcomb_ah() { - INIT_VNET_IPSEC(curvnet); struct sadb_comb *comb; struct auth_hash *algo; struct mbuf *m; @@ -6303,7 +6271,6 @@ key_getprop(saidx) static int key_acquire(const struct secasindex *saidx, struct secpolicy *sp) { - INIT_VNET_IPSEC(curvnet); struct mbuf *result = NULL, *m; struct secacq *newacq; u_int8_t satype; @@ -6474,7 +6441,6 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp) static struct secacq * key_newacq(const struct secasindex *saidx) { - INIT_VNET_IPSEC(curvnet); struct secacq *newacq; /* get new entry */ @@ -6501,7 +6467,6 @@ key_newacq(const struct secasindex *saidx) static struct secacq * key_getacq(const struct secasindex *saidx) { - INIT_VNET_IPSEC(curvnet); struct secacq *acq; ACQ_LOCK(); @@ -6518,7 +6483,6 @@ static struct secacq * key_getacqbyseq(seq) u_int32_t seq; { - INIT_VNET_IPSEC(curvnet); struct secacq *acq; ACQ_LOCK(); @@ -6535,7 +6499,6 @@ static struct secspacq * key_newspacq(spidx) struct secpolicyindex *spidx; { - INIT_VNET_IPSEC(curvnet); struct secspacq *acq; /* get new entry */ @@ -6562,7 +6525,6 @@ static struct secspacq * key_getspacq(spidx) struct secpolicyindex *spidx; { - INIT_VNET_IPSEC(curvnet); struct secspacq *acq; SPACQ_LOCK(); @@ -6597,7 +6559,6 @@ key_acquire2(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); const struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; @@ -6756,7 +6717,6 @@ key_register(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct secreg *reg, *newreg = 0; IPSEC_ASSERT(so != NULL, ("null socket")); @@ -6911,7 +6871,6 @@ key_register(so, m, mhp) void key_freereg(struct socket *so) { - INIT_VNET_IPSEC(curvnet); struct secreg *reg; int i; @@ -7087,7 +7046,6 @@ key_flush(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; @@ -7171,7 +7129,6 @@ key_dump(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int16_t proto; @@ -7352,7 +7309,6 @@ key_parse(m, so) struct mbuf *m; struct socket *so; { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *msg; struct sadb_msghdr mh; u_int orglen; @@ -7624,7 +7580,6 @@ key_align(m, mhp) struct mbuf *m; struct sadb_msghdr *mhp; { - INIT_VNET_IPSEC(curvnet); struct mbuf *n; struct sadb_ext *ext; size_t off, end; @@ -7792,26 +7747,8 @@ key_validate_ext(ext, len) void key_init(void) { - INIT_VNET_IPSEC(curvnet); int i; - V_key_debug_level = 0; - V_key_spi_trycnt = 1000; - V_key_spi_minval = 0x100; - V_key_spi_maxval = 0x0fffffff; /* XXX */ - V_policy_id = 0; - V_key_int_random = 60; /*interval to initialize randseed,1(m)*/ - V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ - V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ - V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ - V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/ - - V_acq_seq = 0; - - V_ipsec_esp_keymin = 256; - V_ipsec_esp_auth = 0; - V_ipsec_ah_keymin = 128; - for (i = 0; i < IPSEC_DIR_MAX; i++) LIST_INIT(&V_sptree[i]); @@ -7850,7 +7787,6 @@ key_init(void) void key_destroy(void) { - INIT_VNET_IPSEC(curvnet); struct secpolicy *sp, *nextsp; struct secspacq *acq, *nextacq; struct secashead *sah, *nextsah; @@ -7984,7 +7920,6 @@ void key_sa_routechange(dst) struct sockaddr *dst; { - INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct route *ro; diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index a13a88a..da5dd75 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -44,9 +44,9 @@ #include <sys/queue.h> #endif #include <sys/socket.h> -#include <sys/vimage.h> #include <net/route.h> +#include <net/vnet.h> #include <netipsec/key_var.h> #include <netipsec/key_debug.h> diff --git a/sys/netipsec/key_debug.h b/sys/netipsec/key_debug.h index 6ca0fe2..3082cc3 100644 --- a/sys/netipsec/key_debug.h +++ b/sys/netipsec/key_debug.h @@ -56,7 +56,8 @@ #define KEYDEBUG(lev,arg) \ do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0) -extern u_int32_t key_debug_level; +VNET_DECLARE(u_int32_t, key_debug_level); +#define V_key_debug_level VNET_GET(key_debug_level) #endif /*_KERNEL*/ struct sadb_msg; diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index bb7cb00..1c79421 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -67,22 +67,25 @@ #include <machine/stdarg.h> -#ifdef VIMAGE_GLOBALS -static struct key_cb key_cb; -struct pfkeystat pfkeystat; -#endif +struct key_cb { + int key_count; + int any_count; +}; +static VNET_DEFINE(struct key_cb, key_cb); +#define V_key_cb VNET_GET(key_cb) -static struct sockaddr key_src = { 2, PF_KEY }; +static struct sockaddr key_src = { 2, PF_KEY, }; static int key_sendup0 __P((struct rawcb *, struct mbuf *, int)); +VNET_DEFINE(struct pfkeystat, pfkeystat); + /* * key_output() */ int key_output(struct mbuf *m, struct socket *so) { - INIT_VNET_IPSEC(curvnet); struct sadb_msg *msg; int len, error = 0; @@ -136,7 +139,6 @@ key_sendup0(rp, m, promisc) struct mbuf *m; int promisc; { - INIT_VNET_IPSEC(curvnet); int error; if (promisc) { @@ -181,7 +183,6 @@ key_sendup(so, msg, len, target) u_int len; int target; /*target of the resulting message*/ { - INIT_VNET_IPSEC(curvnet); struct mbuf *m, *n, *mprev; int tlen; @@ -270,8 +271,6 @@ key_sendup_mbuf(so, m, target) struct mbuf *m; int target; { - INIT_VNET_NET(curvnet); - INIT_VNET_IPSEC(curvnet); struct mbuf *n; struct keycb *kp; int sendup; @@ -389,7 +388,6 @@ key_abort(struct socket *so) static int key_attach(struct socket *so, int proto, struct thread *td) { - INIT_VNET_IPSEC(curvnet); struct keycb *kp; int error; @@ -464,7 +462,6 @@ key_connect(struct socket *so, struct sockaddr *nam, struct thread *td) static void key_detach(struct socket *so) { - INIT_VNET_IPSEC(curvnet); struct keycb *kp = (struct keycb *)sotorawcb(so); KASSERT(kp != NULL, ("key_detach: kp == NULL")); @@ -567,10 +564,8 @@ struct protosw keysw[] = { static void key_init0(void) { - INIT_VNET_IPSEC(curvnet); bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); - ipsec_init(); key_init(); } diff --git a/sys/netipsec/keysock.h b/sys/netipsec/keysock.h index 1097206..bcc274b 100644 --- a/sys/netipsec/keysock.h +++ b/sys/netipsec/keysock.h @@ -58,11 +58,6 @@ struct pfkeystat { u_quad_t sockerr; /* # of socket related errors */ }; -struct key_cb { - int key_count; - int any_count; -}; - #define KEY_SENDUP_ONE 0 #define KEY_SENDUP_ALL 1 #define KEY_SENDUP_REGISTERED 2 @@ -74,7 +69,8 @@ struct keycb { int kp_registered; /* registered socket */ }; -extern struct pfkeystat pfkeystat; +VNET_DECLARE(struct pfkeystat, pfkeystat); +#define V_pfkeystat VNET_GET(pfkeystat) extern int key_output(struct mbuf *m, struct socket *so); extern int key_usrreq __P((struct socket *, diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h deleted file mode 100644 index 4a643e5..0000000 --- a/sys/netipsec/vipsec.h +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 2007-2008 University of Zagreb - * Copyright (c) 2007-2008 FreeBSD Foundation - * - * This software was developed by the University of Zagreb and the - * FreeBSD Foundation under sponsorship by the Stichting NLnet and the - * FreeBSD Foundation. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#ifndef _NETIPSEC_VIPSEC_H_ -#define _NETIPSEC_VIPSEC_H_ - -#include <sys/protosw.h> - -#include <net/pfkeyv2.h> -#include <net/raw_cb.h> - -#include <netipsec/ah_var.h> -#include <netipsec/esp_var.h> -#include <netipsec/ipcomp_var.h> -#include <netipsec/ipip_var.h> -#include <netipsec/ipsec.h> -#include <netipsec/keysock.h> - -struct vnet_ipsec { - int _ipsec_debug; - struct ipsecstat _ipsec4stat; - struct secpolicy _ip4_def_policy; - - int _ip4_esp_trans_deflev; - int _ip4_esp_net_deflev; - int _ip4_ah_trans_deflev; - int _ip4_ah_net_deflev; - int _ip4_ah_offsetmask; - int _ip4_ipsec_dfbit; - int _ip4_ipsec_ecn; - int _ip4_ipsec_filtertunnel; - int _ip4_esp_randpad; - - int _ipsec_replay; - int _ipsec_integrity; - int _crypto_support; - - u_int32_t _key_debug_level; - u_int _key_spi_trycnt; - u_int32_t _key_spi_minval; - u_int32_t _key_spi_maxval; - u_int32_t _policy_id; - u_int _key_int_random; - u_int _key_larval_lifetime; - int _key_blockacq_count; - int _key_blockacq_lifetime; - int _key_preferred_oldsa; - u_int32_t _acq_seq; - - int _esp_enable; - struct espstat _espstat; - int _esp_max_ivlen; - int _ipsec_esp_keymin; - int _ipsec_esp_auth; - int _ipsec_ah_keymin; - int _ipip_allow; - struct ipipstat _ipipstat; - - struct ipsecstat _ipsec6stat; - int _ip6_esp_trans_deflev; - int _ip6_esp_net_deflev; - int _ip6_ah_trans_deflev; - int _ip6_ah_net_deflev; - int _ip6_ipsec_ecn; - int _ip6_ipsec6_filtertunnel; - - int _ah_enable; - int _ah_cleartos; - struct ahstat _ahstat; - - int _ipcomp_enable; - struct ipcompstat _ipcompstat; - - struct pfkeystat _pfkeystat; - struct key_cb _key_cb; - LIST_HEAD(, secpolicy) _sptree[IPSEC_DIR_MAX]; - LIST_HEAD(, secashead) _sahtree; - LIST_HEAD(, secreg) _regtree[SADB_SATYPE_MAX + 1]; - LIST_HEAD(, secacq) _acqtree; - LIST_HEAD(, secspacq) _spacqtree; -}; - -/* Size guard. See sys/vimage.h. */ -VIMAGE_CTASSERT(SIZEOF_vnet_ipsec, sizeof(struct vnet_ipsec)); - -#ifndef VIMAGE -#ifndef VIMAGE_GLOBALS -extern struct vnet_ipsec vnet_ipsec_0; -#endif -#endif - -/* - * Symbol translation macros - */ -#define INIT_VNET_IPSEC(vnet) \ - INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec) - -#define VNET_IPSEC(sym) VSYM(vnet_ipsec, sym) - -#define V_acq_seq VNET_IPSEC(acq_seq) -#define V_acqtree VNET_IPSEC(acqtree) -#define V_ah_cleartos VNET_IPSEC(ah_cleartos) -#define V_ah_enable VNET_IPSEC(ah_enable) -#define V_ahstat VNET_IPSEC(ahstat) -#define V_crypto_support VNET_IPSEC(crypto_support) -#define V_esp_enable VNET_IPSEC(esp_enable) -#define V_esp_max_ivlen VNET_IPSEC(esp_max_ivlen) -#define V_espstat VNET_IPSEC(espstat) -#define V_ip4_ah_net_deflev VNET_IPSEC(ip4_ah_net_deflev) -#define V_ip4_ah_offsetmask VNET_IPSEC(ip4_ah_offsetmask) -#define V_ip4_ah_trans_deflev VNET_IPSEC(ip4_ah_trans_deflev) -#define V_ip4_def_policy VNET_IPSEC(ip4_def_policy) -#define V_ip4_esp_net_deflev VNET_IPSEC(ip4_esp_net_deflev) -#define V_ip4_esp_randpad VNET_IPSEC(ip4_esp_randpad) -#define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev) -#define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit) -#define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn) -#define V_ip4_ipsec_filtertunnel VNET_IPSEC(ip4_ipsec_filtertunnel) -#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) -#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) -#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) -#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) -#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) -#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) -#define V_ip6_ipsec6_filtertunnel VNET_IPSEC(ip6_ipsec6_filtertunnel) -#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) -#define V_ipcompstat VNET_IPSEC(ipcompstat) -#define V_ipip_allow VNET_IPSEC(ipip_allow) -#define V_ipipstat VNET_IPSEC(ipipstat) -#define V_ipsec4stat VNET_IPSEC(ipsec4stat) -#define V_ipsec6stat VNET_IPSEC(ipsec6stat) -#define V_ipsec_ah_keymin VNET_IPSEC(ipsec_ah_keymin) -#define V_ipsec_debug VNET_IPSEC(ipsec_debug) -#define V_ipsec_esp_auth VNET_IPSEC(ipsec_esp_auth) -#define V_ipsec_esp_keymin VNET_IPSEC(ipsec_esp_keymin) -#define V_ipsec_integrity VNET_IPSEC(ipsec_integrity) -#define V_ipsec_replay VNET_IPSEC(ipsec_replay) -#define V_key_blockacq_count VNET_IPSEC(key_blockacq_count) -#define V_key_blockacq_lifetime VNET_IPSEC(key_blockacq_lifetime) -#define V_key_cb VNET_IPSEC(key_cb) -#define V_key_debug_level VNET_IPSEC(key_debug_level) -#define V_key_int_random VNET_IPSEC(key_int_random) -#define V_key_larval_lifetime VNET_IPSEC(key_larval_lifetime) -#define V_key_preferred_oldsa VNET_IPSEC(key_preferred_oldsa) -#define V_key_spi_maxval VNET_IPSEC(key_spi_maxval) -#define V_key_spi_minval VNET_IPSEC(key_spi_minval) -#define V_key_spi_trycnt VNET_IPSEC(key_spi_trycnt) -#define V_pfkeystat VNET_IPSEC(pfkeystat) -#define V_policy_id VNET_IPSEC(policy_id) -#define V_regtree VNET_IPSEC(regtree) -#define V_sahtree VNET_IPSEC(sahtree) -#define V_spacqtree VNET_IPSEC(spacqtree) -#define V_sptree VNET_IPSEC(sptree) - -#endif /* !_NETIPSEC_VIPSEC_H_ */ diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 07d7001..658c92c 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -49,6 +49,7 @@ #include <sys/vimage.h> #include <net/if.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -73,17 +74,6 @@ #include <opencrypto/cryptodev.h> -static int ah_iattach(const void *); - -#ifndef VIMAGE_GLOBALS -static const vnet_modinfo_t vnet_ah_modinfo = { - .vmi_id = VNET_MOD_AH, - .vmi_name = "ipsec_ah", - .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = ah_iattach -}; -#endif /* !VIMAGE_GLOBALS */ - /* * Return header size in bytes. The old protocol did not support * the replay counter; the new protocol always includes the counter. @@ -99,19 +89,17 @@ static const vnet_modinfo_t vnet_ah_modinfo = { #define AUTHSIZE(sav) \ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) -#ifdef VIMAGE_GLOBALS -int ah_enable; -int ah_cleartos; -struct ahstat ahstat; -#endif +VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ +VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ +VNET_DEFINE(struct ahstat, ahstat); SYSCTL_DECL(_net_inet_ah); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, - ah_enable, CTLFLAG_RW, ah_enable, 0, ""); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, - ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS, - stats, CTLFLAG_RD, ahstat, ahstat, ""); +SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, + ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); +SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, + ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -173,7 +161,6 @@ ah_hdrsiz(struct secasvar *sav) int ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) { - INIT_VNET_IPSEC(curvnet); struct auth_hash *thash; int keylen; @@ -228,7 +215,6 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) static int ah_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); struct cryptoini cria; int error; @@ -263,7 +249,6 @@ ah_zeroize(struct secasvar *sav) static int ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) { - INIT_VNET_IPSEC(curvnet); struct mbuf *m = *m0; unsigned char *ptr; int off, count; @@ -568,7 +553,6 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) static int ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct auth_hash *ahx; struct tdb_ident *tdbi; struct tdb_crypto *tc; @@ -738,7 +722,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int ah_input_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); int rplen, error, skip, protoff; unsigned char calc[AH_ALEN_MAX]; struct mbuf *m; @@ -901,7 +884,6 @@ ah_output( int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; struct auth_hash *ahx; struct cryptodesc *crda; @@ -1128,7 +1110,6 @@ bad: static int ah_output_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); int skip, protoff, error; struct tdb_crypto *tc; struct ipsecrequest *isr; @@ -1232,21 +1213,6 @@ ah_attach(void) { xform_register(&ah_xformsw); -#ifndef VIMAGE_GLOBALS - vnet_mod_register(&vnet_ah_modinfo); -#else - ah_iattach(NULL); -#endif } -static int -ah_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - - V_ah_enable = 1; /* control flow of packets with AH */ - V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ - - return (0); -} SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 6508c14..afb9d2d 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -49,6 +49,7 @@ #include <sys/vimage.h> #include <net/if.h> +#include <net/vnet.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -76,30 +77,21 @@ #include <opencrypto/cryptodev.h> #include <opencrypto/xform.h> -#ifdef VIMAGE_GLOBALS -struct espstat espstat; -static int esp_max_ivlen; /* max iv length over all algorithms */ -int esp_enable; -#endif +VNET_DEFINE(int, esp_enable) = 1; +VNET_DEFINE(struct espstat, espstat); SYSCTL_DECL(_net_inet_esp); -SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, - esp_enable, CTLFLAG_RW, esp_enable, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, - stats, CTLFLAG_RD, espstat, espstat, ""); +SYSCTL_VNET_INT(_net_inet_esp, OID_AUTO, + esp_enable, CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_esp, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(espstat), espstat, ""); + +/* max iv length over all algorithms */ +static VNET_DEFINE(int, esp_max_ivlen) = 0; +#define V_esp_max_ivlen VNET_GET(esp_max_ivlen) static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); -static int esp_iattach(const void *); - -#ifndef VIMAGE_GLOBALS -static const vnet_modinfo_t vnet_esp_modinfo = { - .vmi_id = VNET_MOD_ESP, - .vmi_name = "ipsec_esp", - .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = esp_iattach -}; -#endif /* !VIMAGE_GLOBALS */ /* * NB: this is public for use by the PF_KEY support. @@ -134,7 +126,6 @@ esp_algorithm_lookup(int alg) size_t esp_hdrsiz(struct secasvar *sav) { - INIT_VNET_IPSEC(curvnet); size_t size; if (sav != NULL) { @@ -169,7 +160,6 @@ esp_hdrsiz(struct secasvar *sav) static int esp_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); struct enc_xform *txform; struct cryptoini cria, crie; int keylen; @@ -280,7 +270,6 @@ esp_zeroize(struct secasvar *sav) static int esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct auth_hash *esph; struct enc_xform *espx; struct tdb_ident *tdbi; @@ -463,7 +452,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int esp_input_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN]; int hlen, skip, protoff, error; struct mbuf *m; @@ -667,7 +655,6 @@ esp_output( int protoff ) { - INIT_VNET_IPSEC(curvnet); struct enc_xform *espx; struct auth_hash *esph; int hlen, rlen, plen, padding, blks, alen, i, roff; @@ -898,7 +885,6 @@ bad: static int esp_output_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; @@ -1000,27 +986,10 @@ static struct xformsw esp_xformsw = { static void esp_attach(void) { - - xform_register(&esp_xformsw); -#ifndef VIMAGE_GLOBALS - vnet_mod_register(&vnet_esp_modinfo); -#else - esp_iattach(NULL); -#endif -} - -static int -esp_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - #define MAXIV(xform) \ if (xform.blocksize > V_esp_max_ivlen) \ V_esp_max_ivlen = xform.blocksize \ - V_esp_enable = 1; - V_esp_max_ivlen = 0; - MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ @@ -1029,8 +998,8 @@ esp_iattach(const void *unused __unused) MAXIV(enc_xform_skipjack); /* SADB_X_EALG_SKIPJACK */ MAXIV(enc_xform_null); /* SADB_EALG_NULL */ MAXIV(enc_xform_camellia); /* SADB_X_EALG_CAMELLIACBC */ -#undef MAXIV - return (0); + xform_register(&esp_xformsw); +#undef MAXIV } SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL); diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 8e2f1c4..2ea83e0 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -49,6 +49,8 @@ #include <netinet/ip_var.h> #include <net/route.h> +#include <net/vnet.h> + #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -67,29 +69,25 @@ #include <opencrypto/deflate.h> #include <opencrypto/xform.h> -#ifdef VIMAGE_GLOBALS -int ipcomp_enable; -struct ipcompstat ipcompstat; -#endif +VNET_DEFINE(int, ipcomp_enable) = 0; +VNET_DEFINE(struct ipcompstat, ipcompstat); SYSCTL_DECL(_net_inet_ipcomp); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, - ipcomp_enable, CTLFLAG_RW, ipcomp_enable, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS, - stats, CTLFLAG_RD, ipcompstat, ipcompstat, ""); +SYSCTL_VNET_INT(_net_inet_ipcomp, OID_AUTO, + ipcomp_enable, CTLFLAG_RW, &VNET_NAME(ipcomp_enable), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(ipcompstat), ipcompstat, ""); static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); -static int ipcomp_iattach(const void *); -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE static const vnet_modinfo_t vnet_ipcomp_modinfo = { .vmi_id = VNET_MOD_IPCOMP, .vmi_name = "ipsec_ipcomp", .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = ipcomp_iattach }; -#endif /* !VIMAGE_GLOBALS */ +#endif struct comp_algo * ipcomp_algorithm_lookup(int alg) @@ -109,7 +107,6 @@ ipcomp_algorithm_lookup(int alg) static int ipcomp_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); struct comp_algo *tcomp; struct cryptoini cric; @@ -150,7 +147,6 @@ ipcomp_zeroize(struct secasvar *sav) static int ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; @@ -221,7 +217,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int ipcomp_input_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); struct cryptodesc *crd; struct tdb_crypto *tc; int skip, protoff; @@ -342,7 +337,6 @@ ipcomp_output( int protoff ) { - INIT_VNET_IPSEC(curvnet); struct secasvar *sav; struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize, roff; @@ -501,7 +495,6 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { - INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; @@ -611,19 +604,9 @@ ipcomp_attach(void) { xform_register(&ipcomp_xformsw); -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE vnet_mod_register(&vnet_ipcomp_modinfo); -#else - ipcomp_iattach(NULL); #endif } -static int -ipcomp_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - - V_ipcomp_enable = 0; - return (0); -} SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index d9cf8c6..8de23ec 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -68,7 +68,6 @@ #ifdef MROUTING #include <netinet/ip_mroute.h> #endif -#include <netinet/vinet.h> #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -92,31 +91,27 @@ * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ -#ifdef VIMAGE_GLOBALS -int ipip_allow; -struct ipipstat ipipstat; -#endif +VNET_DEFINE(int, ipip_allow) = 0; +VNET_DEFINE(struct ipipstat, ipipstat); SYSCTL_DECL(_net_inet_ipip); -SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO, - ipip_allow, CTLFLAG_RW, ipip_allow, 0, ""); -SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipip, IPSECCTL_STATS, - stats, CTLFLAG_RD, ipipstat, ipipstat, ""); +SYSCTL_VNET_INT(_net_inet_ipip, OID_AUTO, + ipip_allow, CTLFLAG_RW, &VNET_NAME(ipip_allow), 0, ""); +SYSCTL_VNET_STRUCT(_net_inet_ipip, IPSECCTL_STATS, + stats, CTLFLAG_RD, &VNET_NAME(ipipstat), ipipstat, ""); /* XXX IPCOMP */ #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp); -static int ipe4_iattach(const void *); -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE static const vnet_modinfo_t vnet_ipip_modinfo = { .vmi_id = VNET_MOD_IPIP, .vmi_name = "ipsec_ipip", .vmi_dependson = VNET_MOD_IPSEC, - .vmi_iattach = ipe4_iattach }; -#endif /* !VIMAGE_GLOBALS */ +#endif #ifdef INET6 /* @@ -169,8 +164,6 @@ ip4_input(struct mbuf *m, int off) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) { - INIT_VNET_NET(curvnet); - INIT_VNET_IPSEC(curvnet); #ifdef INET register struct sockaddr_in *sin; #endif @@ -424,10 +417,6 @@ ipip_output( int protoff ) { - INIT_VNET_IPSEC(curvnet); -#ifdef INET - INIT_VNET_INET(curvnet); -#endif /* INET */ struct secasvar *sav; u_int8_t tp, otos; struct secasindex *saidx; @@ -708,15 +697,6 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); } -static int -ipe4_iattach(const void *unused __unused) -{ - INIT_VNET_IPSEC(curvnet); - - V_ipip_allow = 0; - return (0); -} - static void ipe4_attach(void) { @@ -730,10 +710,8 @@ ipe4_attach(void) (void) encap_attach_func(AF_INET6, -1, ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif -#ifndef VIMAGE_GLOBALS +#ifdef VIMAGE vnet_mod_register(&vnet_ipip_modinfo); -#else - ipe4_iattach(NULL); #endif } SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL); diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index 35a4d43..1fad954 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -49,6 +49,8 @@ #include <netinet/tcp_var.h> #include <net/route.h> +#include <net/vnet.h> + #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -83,7 +85,6 @@ static int tcpsignature_init(struct secasvar *sav, struct xformsw *xsp) { - INIT_VNET_IPSEC(curvnet); int keylen; if (sav->spi != htonl(TCP_SIG_SPI)) { |