8 files changed, 129 insertions, 51 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index b752a67..a686f43 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -97,23 +97,19 @@
 
 #include <opencrypto/cryptodev.h>
 
-#ifdef IPSEC_DEBUG
-int ipsec_debug = 1;
-#else
-int ipsec_debug = 0;
-#endif
-
+#ifdef VIMAGE_GLOBALS
 /* NB: name changed so netstat doesn't use it */
 struct ipsecstat ipsec4stat;
-int ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
-int ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
-int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
-int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
-int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
-int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 struct secpolicy ip4_def_policy;
-int ip4_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
-int ip4_esp_randpad = -1;
+int ipsec_debug;
+int ip4_ah_offsetmask;
+int ip4_ipsec_dfbit;
+int ip4_esp_trans_deflev;
+int ip4_esp_net_deflev;
+int ip4_ah_trans_deflev;
+int ip4_ah_net_deflev;
+int ip4_ipsec_ecn;
+int ip4_esp_randpad;
 /*
  * Crypto support requirements:
  *
@@ -121,7 +117,8 @@ int ip4_esp_randpad = -1;
  * -1	require software support
  *  0	take anything
  */
-int	crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+int	crypto_support;
+#endif /* VIMAGE_GLOBALS */
 
 SYSCTL_DECL(_net_inet_ipsec);
 
@@ -164,29 +161,33 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 	"IPsec IPv4 statistics.");
 
 #ifdef REGRESSION
+#ifdef VIMAGE_GLOBALS
+int ipsec_replay;
+int ipsec_integrity;
+#endif
 /*
  * When set to 1, IPsec will send packets with the same sequence number.
  * This allows to verify if the other side has proper replay attacks detection.
  */
-int ipsec_replay = 0;
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
 	CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
 /*
  * When set 1, IPsec will send packets with corrupted HMAC.
  * This allows to verify if the other side properly detects modified packets.
  */
-int ipsec_integrity = 0;
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
 	CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack");
 #endif
 
 #ifdef INET6 
+#ifdef VIMAGE_GLOBALS
 struct ipsecstat ipsec6stat;
-int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
-int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
-int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
-int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
-int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+int ip6_esp_trans_deflev;
+int ip6_esp_net_deflev;
+int ip6_ah_trans_deflev;
+int ip6_ah_net_deflev;
+int ip6_ipsec_ecn;
+#endif
 
 SYSCTL_DECL(_net_inet6_ipsec6);
 
@@ -242,6 +243,40 @@ static size_t ipsec_hdrsiz __P((struct secpolicy *));
 
 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
 
+void
+ipsec_init(void)
+{
+	INIT_VNET_IPSEC(curvnet);
+
+#ifdef IPSEC_DEBUG
+	V_ipsec_debug = 1;
+#else
+	V_ipsec_debug = 0;
+#endif
+
+	V_ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
+	V_ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
+	V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+	V_ip4_esp_randpad = -1;
+
+	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+
+#ifdef REGRESSION
+	V_ipsec_replay = 0;
+	V_ipsec_integrity = 0;
+#endif
+
+	V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+}
+
 /*
  * Return a held reference to the default SP.
  */
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index f6346f8..3bc6bc9 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -359,6 +359,7 @@ extern	struct ipsecrequest *ipsec_newisr(void);
 extern	void ipsec_delisr(struct ipsecrequest *);
 
 struct tdb_ident;
+extern void ipsec_init(void);
 extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int));
 struct inpcb;
 extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int,
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index c3cba60..db79f59 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -113,20 +113,31 @@
  *   field hits 0 (= no external reference other than from SA header.
  */
 
-u_int32_t key_debug_level = 0;
-static u_int key_spi_trycnt = 1000;
-static u_int32_t key_spi_minval = 0x100;
-static u_int32_t key_spi_maxval = 0x0fffffff;	/* XXX */
-static u_int32_t policy_id = 0;
-static u_int key_int_random = 60;	/*interval to initialize randseed,1(m)*/
-static u_int key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
-static int key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
-static int key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
-static int key_preferred_oldsa = 1;	/* preferred old sa rather than new sa.*/
-
-static u_int32_t acq_seq = 0;
+#ifdef VIMAGE_GLOBALS
+u_int32_t key_debug_level;
+static u_int key_spi_trycnt;
+static u_int32_t key_spi_minval;
+static u_int32_t key_spi_maxval;
+static u_int32_t policy_id;
+static u_int key_int_random;
+static u_int key_larval_lifetime;
+static int key_blockacq_count;
+static int key_blockacq_lifetime;
+static int key_preferred_oldsa;
+
+static u_int32_t acq_seq;
+
+static int ipsec_esp_keymin;
+static int ipsec_esp_auth;
+static int ipsec_ah_keymin;
 
 static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX];	/* SPD */
+static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
+static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
+static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
+static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
+#endif /* VIMAGE_GLOBALS */
+
 static struct mtx sptree_lock;
 #define	SPTREE_LOCK_INIT() \
 	mtx_init(&sptree_lock, "sptree", \
@@ -136,7 +147,6 @@ static struct mtx sptree_lock;
 #define	SPTREE_UNLOCK()	mtx_unlock(&sptree_lock)
 #define	SPTREE_LOCK_ASSERT()	mtx_assert(&sptree_lock, MA_OWNED)
 
-static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
 static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_INIT() \
 	mtx_init(&sahtree_lock, "sahtree", \
@@ -147,7 +157,6 @@ static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_ASSERT()	mtx_assert(&sahtree_lock, MA_OWNED)
 
 							/* registed list */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
 static struct mtx regtree_lock;
 #define	REGTREE_LOCK_INIT() \
 	mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -156,7 +165,6 @@ static struct mtx regtree_lock;
 #define	REGTREE_UNLOCK()	mtx_unlock(&regtree_lock)
 #define	REGTREE_LOCK_ASSERT()	mtx_assert(&regtree_lock, MA_OWNED)
 
-static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
 static struct mtx acq_lock;
 #define	ACQ_LOCK_INIT() \
 	mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -165,7 +173,6 @@ static struct mtx acq_lock;
 #define	ACQ_UNLOCK()		mtx_unlock(&acq_lock)
 #define	ACQ_LOCK_ASSERT()	mtx_assert(&acq_lock, MA_OWNED)
 
-static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
 static struct mtx spacq_lock;
 #define	SPACQ_LOCK_INIT() \
 	mtx_init(&spacq_lock, "spacqtree", \
@@ -236,10 +243,6 @@ static const int maxsize[] = {
 	sizeof(struct sadb_x_sa2),	/* SADB_X_SA2 */
 };
 
-static int ipsec_esp_keymin = 256;
-static int ipsec_esp_auth = 0;
-static int ipsec_ah_keymin = 128;
-
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
 #endif
@@ -7184,6 +7187,23 @@ key_init(void)
 	INIT_VNET_IPSEC(curvnet);
 	int i;
 
+	V_key_debug_level = 0;
+	V_key_spi_trycnt = 1000;
+	V_key_spi_minval = 0x100;
+	V_key_spi_maxval = 0x0fffffff;	/* XXX */
+	V_policy_id = 0;
+	V_key_int_random = 60;		/*interval to initialize randseed,1(m)*/
+	V_key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
+	V_key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
+	V_key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
+	V_key_preferred_oldsa = 1;	/* preferred old sa rather than new sa*/
+
+	V_acq_seq = 0;
+
+	V_ipsec_esp_keymin = 256;
+	V_ipsec_esp_auth = 0;
+	V_ipsec_ah_keymin = 128;
+
 	SPTREE_LOCK_INIT();
 	REGTREE_LOCK_INIT();
 	SAHTREE_LOCK_INIT();
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
index 882aed4..6d5c4bc 100644
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -70,14 +70,16 @@ struct key_cb {
 	int key_count;
 	int any_count;
 };
+
+#ifdef VIMAGE_GLOBALS
 static struct key_cb key_cb;
+struct pfkeystat pfkeystat;
+#endif
 
 static struct sockaddr key_src = { 2, PF_KEY, };
 
 static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
 
-struct pfkeystat pfkeystat;
-
 /*
  * key_output()
  */
@@ -570,7 +572,9 @@ static void
 key_init0(void)
 {
 	INIT_VNET_IPSEC(curvnet);
+
 	bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
+	ipsec_init();
 	key_init();
 }
 
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index c5b3697..3a4c7dc 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -88,9 +88,11 @@
 #define	AUTHSIZE(sav) \
 	((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
 
-int	ah_enable = 1;			/* control flow of packets with AH */
-int	ah_cleartos = 1;		/* clear ip_tos when doing AH calc */
+#ifdef VIMAGE_GLOBALS
+int	ah_enable;
+int	ah_cleartos;
 struct	ahstat ahstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ah);
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
@@ -1217,6 +1219,10 @@ static struct xformsw ah_xformsw = {
 static void
 ah_attach(void)
 {
+
+	V_ah_enable = 1;	/* control flow of packets with AH */
+	V_ah_cleartos = 1;	/* clear ip_tos when doing AH calc */
+
 	xform_register(&ah_xformsw);
 }
 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 21cc82f..98a2240 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -76,8 +76,11 @@
 #include <opencrypto/cryptodev.h>
 #include <opencrypto/xform.h>
 
-int	esp_enable = 1;
+#ifdef VIMAGE_GLOBALS
 struct	espstat espstat;
+static	int esp_max_ivlen;		/* max iv length over all algorithms */
+int	esp_enable;
+#endif
 
 SYSCTL_DECL(_net_inet_esp);
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
@@ -85,8 +88,6 @@ SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
 	stats,		CTLFLAG_RD,	espstat,	espstat, "");
 
-static	int esp_max_ivlen;		/* max iv length over all algorithms */
-
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
 
@@ -993,7 +994,9 @@ esp_attach(void)
 	if (xform.blocksize > V_esp_max_ivlen)		\
 		V_esp_max_ivlen = xform.blocksize		\
 
+	V_esp_enable = 1;
 	V_esp_max_ivlen = 0;
+
 	MAXIV(enc_xform_des);		/* SADB_EALG_DESCBC */
 	MAXIV(enc_xform_3des);		/* SADB_EALG_3DESCBC */
 	MAXIV(enc_xform_rijndael128);	/* SADB_X_EALG_AES */
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 3492924..d64abf0f 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -67,8 +67,10 @@
 #include <opencrypto/deflate.h>
 #include <opencrypto/xform.h>
 
-int	ipcomp_enable = 0;
+#ifdef VIMAGE_GLOBALS
+int	ipcomp_enable;
 struct	ipcompstat ipcompstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ipcomp);
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
@@ -597,6 +599,8 @@ static struct xformsw ipcomp_xformsw = {
 static void
 ipcomp_attach(void)
 {
+
+	V_ipcomp_enable = 0;
 	xform_register(&ipcomp_xformsw);
 }
 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 568d42e..610f984 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -91,8 +91,10 @@
  * We can control the acceptance of IP4 packets by altering the sysctl
  * net.inet.ipip.allow value.  Zero means drop them, all else is acceptance.
  */
-int	ipip_allow = 0;
+#ifdef VIMAGE_GLOBALS
+int	ipip_allow;
 struct	ipipstat ipipstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ipip);
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO,
@@ -694,6 +696,9 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
 static void
 ipe4_attach(void)
 {
+
+	V_ipip_allow = 0;
+
 	xform_register(&ipe4_xformsw);
 	/* attach to encapsulation framework */
 	/* XXX save return cookie for detach on module remove */