author: Robert Watson <rwatson@FreeBSD.org> 2009-07-14 22:48:30 +0000
committer: Robert Watson <rwatson@FreeBSD.org> 2009-07-14 22:48:30 +0000
commit: eddfbb763ded6b5f6777335142be9a0edab628bb (patch)
tree: 13848f891fb2f7a396281b31633563d0f764ff65 /sys/netipsec/key.c
parent: 2286fe763592aa13d320186bf3e233a560af749b (diff)
1 files changed, 72 insertions, 137 deletions
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 3dc687842f6e..07a59454e5f8 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -61,6 +61,7 @@
 #include <net/if.h>
 #include <net/route.h>
 #include <net/raw_cb.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -75,11 +76,9 @@
 
 #ifdef INET
 #include <netinet/in_pcb.h>
-#include <netinet/vinet.h>
 #endif
 #ifdef INET6
 #include <netinet6/in6_pcb.h>
-#include <netinet6/vinet6.h>
 #endif /* INET6 */
 
 #include <net/pfkeyv2.h>
@@ -99,7 +98,6 @@
 
 /* randomness */
 #include <sys/random.h>
-#include <sys/vimage.h>
 
 #define FULLMASK	0xff
 #define	_BITS(bytes)	((bytes) << 3)
@@ -115,31 +113,37 @@
  *   field hits 0 (= no external reference other than from SA header.
  */
 
-#ifdef VIMAGE_GLOBALS
-u_int32_t key_debug_level;
-static u_int key_spi_trycnt;
-static u_int32_t key_spi_minval;
-static u_int32_t key_spi_maxval;
-static u_int32_t policy_id;
-static u_int key_int_random;
-static u_int key_larval_lifetime;
-static int key_blockacq_count;
-static int key_blockacq_lifetime;
-static int key_preferred_oldsa;
-
-static u_int32_t acq_seq;
-
-static int ipsec_esp_keymin;
-static int ipsec_esp_auth;
-static int ipsec_ah_keymin;
-
-static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX];	/* SPD */
-static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
-static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
-static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
-#endif /* VIMAGE_GLOBALS */
-
+VNET_DEFINE(u_int32_t, key_debug_level) = 0;
+static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
+#define	V_key_spi_trycnt	VNET_GET(key_spi_trycnt)
+static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
+#define	V_key_spi_minval	VNET_GET(key_spi_minval)
+static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff;	/* XXX */
+#define	V_key_spi_maxval	VNET_GET(key_spi_maxval)
+static VNET_DEFINE(u_int32_t, policy_id) = 0;
+#define	V_policy_id		VNET_GET(policy_id)
+/*interval to initialize randseed,1(m)*/
+static VNET_DEFINE(u_int, key_int_random) = 60;
+#define	V_key_int_random	VNET_GET(key_int_random)
+/* interval to expire acquiring, 30(s)*/
+static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
+#define	V_key_larval_lifetime	VNET_GET(key_larval_lifetime)
+/* counter for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_count) = 10;
+#define	V_key_blockacq_count	VNET_GET(key_blockacq_count)
+/* lifetime for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
+#define	V_key_blockacq_lifetime	VNET_GET(key_blockacq_lifetime)
+/* preferred old sa rather than new sa.*/
+static VNET_DEFINE(int, key_preferred_oldsa) = 1;
+#define	V_key_preferred_oldsa	VNET_GET(key_preferred_oldsa)
+
+static VNET_DEFINE(u_int32_t, acq_seq) = 0;
+#define	V_acq_seq		VNET_GET(acq_seq)
+
+								/* SPD */
+static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]);
+#define	V_sptree		VNET_GET(sptree)
 static struct mtx sptree_lock;
 #define	SPTREE_LOCK_INIT() \
 	mtx_init(&sptree_lock, "sptree", \
@@ -149,6 +153,8 @@ static struct mtx sptree_lock;
 #define	SPTREE_UNLOCK()	mtx_unlock(&sptree_lock)
 #define	SPTREE_LOCK_ASSERT()	mtx_assert(&sptree_lock, MA_OWNED)
 
+static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree);	/* SAD */
+#define	V_sahtree		VNET_GET(sahtree)
 static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_INIT() \
 	mtx_init(&sahtree_lock, "sahtree", \
@@ -159,6 +165,8 @@ static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_ASSERT()	mtx_assert(&sahtree_lock, MA_OWNED)
 
 							/* registed list */
+static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
+#define	V_regtree		VNET_GET(regtree)
 static struct mtx regtree_lock;
 #define	REGTREE_LOCK_INIT() \
 	mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -167,6 +175,8 @@ static struct mtx regtree_lock;
 #define	REGTREE_UNLOCK()	mtx_unlock(&regtree_lock)
 #define	REGTREE_LOCK_ASSERT()	mtx_assert(&regtree_lock, MA_OWNED)
 
+static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */
+#define	V_acqtree		VNET_GET(acqtree)
 static struct mtx acq_lock;
 #define	ACQ_LOCK_INIT() \
 	mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -175,6 +185,9 @@ static struct mtx acq_lock;
 #define	ACQ_UNLOCK()		mtx_unlock(&acq_lock)
 #define	ACQ_LOCK_ASSERT()	mtx_assert(&acq_lock, MA_OWNED)
 
+							/* SP acquiring list */
+static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
+#define	V_spacqtree		VNET_GET(spacqtree)
 static struct mtx spacq_lock;
 #define	SPACQ_LOCK_INIT() \
 	mtx_init(&spacq_lock, "spacqtree", \
@@ -257,56 +270,63 @@ static const int maxsize[] = {
 	sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
 };
 
+static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
+#define	V_ipsec_esp_keymin	VNET_GET(ipsec_esp_keymin)
+static VNET_DEFINE(int, ipsec_esp_auth) = 0;
+#define	V_ipsec_esp_auth	VNET_GET(ipsec_esp_auth)
+static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
+#define	V_ipsec_ah_keymin	VNET_GET(ipsec_ah_keymin)
+
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
 #endif
 
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL,	debug,
-	CTLFLAG_RW, key_debug_level,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL,	debug,
+	CTLFLAG_RW, &VNET_NAME(key_debug_level),	0,	"");
 
 /* max count of trial for the decision of spi value */
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt,
-	CTLFLAG_RW, key_spi_trycnt,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
+	CTLFLAG_RW, &VNET_NAME(key_spi_trycnt),	0,	"");
 
 /* minimum spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE,
-	spi_minval,	CTLFLAG_RW, key_spi_minval,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE,
+	spi_minval,	CTLFLAG_RW, &VNET_NAME(key_spi_minval),	0,	"");
 
 /* maximun spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE,
-	spi_maxval,	CTLFLAG_RW, key_spi_maxval,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE,
+	spi_maxval,	CTLFLAG_RW, &VNET_NAME(key_spi_maxval),	0,	"");
 
 /* interval to initialize randseed */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT,
-	int_random,	CTLFLAG_RW, key_int_random,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT,
+	int_random,	CTLFLAG_RW, &VNET_NAME(key_int_random),	0,	"");
 
 /* lifetime for larval SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME,
-	larval_lifetime, CTLFLAG_RW, key_larval_lifetime,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME,
+	larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime),	0, "");
 
 /* counter for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT,
-	blockacq_count,	CTLFLAG_RW, key_blockacq_count,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT,
+	blockacq_count,	CTLFLAG_RW, &VNET_NAME(key_blockacq_count),	0, "");
 
 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME,
-	blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime,	0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME,
+	blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
 
 /* ESP auth */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH,	esp_auth,
-	CTLFLAG_RW, ipsec_esp_auth,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH,	esp_auth,
+	CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth),	0,	"");
 
 /* minimum ESP key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN,
-	esp_keymin, CTLFLAG_RW, ipsec_esp_keymin,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN,
+	esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin),	0,	"");
 
 /* minimum AH key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
-	CTLFLAG_RW, ipsec_ah_keymin,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
+	CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin),	0,	"");
 
 /* perfered old SA rather than new SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA,
-	preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA,
+	preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa),	0, "");
 
 #define __LIST_CHAINED(elm) \
 	(!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
@@ -579,7 +599,6 @@ key_addref(struct secpolicy *sp)
 int
 key_havesp(u_int dir)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
 		LIST_FIRST(&V_sptree[dir]) != NULL : 1);
@@ -595,7 +614,6 @@ key_havesp(u_int dir)
 struct secpolicy *
 key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -652,7 +670,6 @@ key_allocsp2(u_int32_t spi,
 	     u_int dir,
 	     const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(dst != NULL, ("null dst"));
@@ -715,7 +732,6 @@ key_gettunnel(const struct sockaddr *osrc,
 	      const struct sockaddr *idst,
 	      const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	const int dir = IPSEC_DIR_INBOUND;
 	struct ipsecrequest *r1, *r2, *p;
@@ -791,7 +807,6 @@ done:
 int
 key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int level;
 	int error;
 
@@ -887,7 +902,6 @@ static struct secasvar *
 key_allocsa_policy(const struct secasindex *saidx)
 {
 #define	N(a)	_ARRAYLEN(a)
-	INIT_VNET_IPSEC(curvnet);	
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize;
@@ -935,7 +949,6 @@ key_allocsa_policy(const struct secasindex *saidx)
 static struct secasvar *
 key_do_allocsa_policy(struct secashead *sah, u_int state)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav, *candidate, *d;
 
 	/* initilize */
@@ -1081,7 +1094,6 @@ key_allocsa(
 	u_int32_t spi,
 	const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize, state;
@@ -1160,7 +1172,6 @@ done:
 void
 _key_freesp(struct secpolicy **spp, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp = *spp;
 
 	IPSEC_ASSERT(sp != NULL, ("null sp"));
@@ -1186,7 +1197,6 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag)
 void
 key_freeso(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	IPSEC_ASSERT(so != NULL, ("null so"));
 
 	switch (so->so_proto->pr_domain->dom_family) {
@@ -1237,7 +1247,6 @@ key_freesp_so(struct secpolicy **sp)
 void
 key_freesav(struct secasvar **psav, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav = *psav;
 
 	IPSEC_ASSERT(sav != NULL, ("null sav"));
@@ -1296,7 +1305,6 @@ key_delsp(struct secpolicy *sp)
 static struct secpolicy *
 key_getsp(struct secpolicyindex *spidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -1323,7 +1331,6 @@ key_getsp(struct secpolicyindex *spidx)
 static struct secpolicy *
 key_getspbyid(u_int32_t id)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	SPTREE_LOCK();
@@ -1353,7 +1360,6 @@ done:
 struct secpolicy *
 key_newsp(const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp = NULL;
 
 	newsp = (struct secpolicy *)
@@ -1388,7 +1394,6 @@ key_msg2sp(xpl0, len, error)
 	size_t len;
 	int *error;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp;
 
 	IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
@@ -1786,7 +1791,6 @@ key_spdadd(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0, *xpl;
 	struct sadb_lifetime *lft = NULL;
@@ -2019,7 +2023,6 @@ key_spdadd(so, m, mhp)
 static u_int32_t
 key_getnewspid()
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newid = 0;
 	int count = V_key_spi_trycnt;	/* XXX */
 	struct secpolicy *sp;
@@ -2061,7 +2064,6 @@ key_spddelete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0;
 	struct secpolicyindex spidx;
@@ -2170,7 +2172,6 @@ key_spddelete2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 
@@ -2263,7 +2264,6 @@ key_spdget(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
@@ -2315,7 +2315,6 @@ int
 key_spdacquire(sp)
 	struct secpolicy *sp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secspacq *newspacq;
 
@@ -2378,7 +2377,6 @@ key_spdflush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secpolicy *sp;
 	u_int dir;
@@ -2431,7 +2429,6 @@ key_spddump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int cnt;
 	u_int dir;
@@ -2704,7 +2701,6 @@ static struct secashead *
 key_newsah(saidx)
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *newsah;
 
 	IPSEC_ASSERT(saidx != NULL, ("null saidx"));
@@ -2733,7 +2729,6 @@ static void
 key_delsah(sah)
 	struct secashead *sah;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav;
 	u_int stateidx;
 	int zombie = 0;
@@ -2795,7 +2790,6 @@ key_newsav(m, mhp, sah, errp, where, tag)
 	const char* where;
 	int tag;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *newsav;
 	const struct sadb_sa *xsa;
 
@@ -2962,7 +2956,6 @@ static struct secashead *
 key_getsah(saidx)
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 
 	SAHTREE_LOCK();
@@ -2989,7 +2982,6 @@ key_checkspidup(saidx, spi)
 	struct secasindex *saidx;
 	u_int32_t spi;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 
@@ -3026,7 +3018,6 @@ key_getsavbyspi(sah, spi)
 	struct secashead *sah;
 	u_int32_t spi;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	u_int stateidx, state;
 
@@ -3070,7 +3061,6 @@ key_setsaval(sav, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error = 0;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -3306,7 +3296,6 @@ key_setsaval(sav, m, mhp)
 static int
 key_mature(struct secasvar *sav)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error;
 
 	/* check SPI value */
@@ -3782,7 +3771,6 @@ key_setsadbxport(u_int16_t port, u_int16_t type)
 u_int16_t 
 key_portfromsaddr(struct sockaddr *sa)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	switch (sa->sa_family) {
 #ifdef INET
@@ -3807,7 +3795,6 @@ key_portfromsaddr(struct sockaddr *sa)
 static void
 key_porttosaddr(struct sockaddr *sa, u_int16_t port)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	switch (sa->sa_family) {
 #ifdef INET
@@ -3868,7 +3855,6 @@ struct seckey *
 key_dup_keymsg(const struct sadb_key *src, u_int len,
 	       struct malloc_type *type)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct seckey *dst;
 	dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
 	if (dst != NULL) {
@@ -3902,7 +3888,6 @@ static struct seclifetime *
 key_dup_lifemsg(const struct sadb_lifetime *src,
 		 struct malloc_type *type)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct seclifetime *dst = NULL;
 
 	dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), 
@@ -3928,7 +3913,6 @@ key_ismyaddr(sa)
 	struct sockaddr *sa;
 {
 #ifdef INET
-	INIT_VNET_INET(curvnet);
 	struct sockaddr_in *sin;
 	struct in_ifaddr *ia;
 #endif
@@ -3976,7 +3960,6 @@ static int
 key_ismyaddr6(sin6)
 	struct sockaddr_in6 *sin6;
 {
-	INIT_VNET_INET6(curvnet);
 	struct in6_ifaddr *ia;
 #if 0
 	struct in6_multi *in6m;
@@ -4325,7 +4308,6 @@ key_bbcmp(const void *a1, const void *a2, u_int bits)
 static void
 key_flush_spd(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	static u_int16_t sptree_scangen = 0;
 	u_int16_t gen = sptree_scangen++;
 	struct secpolicy *sp;
@@ -4373,7 +4355,6 @@ restart:
 static void
 key_flush_sad(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
 
@@ -4511,7 +4492,6 @@ key_flush_sad(time_t now)
 static void
 key_flush_acq(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq, *nextacq;
 
 	/* ACQ tree */
@@ -4530,7 +4510,6 @@ key_flush_acq(time_t now)
 static void
 key_flush_spacq(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq, *nextacq;
 
 	/* SP ACQ tree */
@@ -4678,7 +4657,6 @@ key_getspi(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *newsah;
@@ -4913,7 +4891,6 @@ key_do_getnewspi(spirange, saidx)
 	struct sadb_spirange *spirange;
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newspi;
 	u_int32_t min, max;
 	int count = V_key_spi_trycnt;
@@ -4995,7 +4972,6 @@ key_update(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 #ifdef IPSEC_NAT_T
@@ -5286,7 +5262,6 @@ key_add(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 #ifdef IPSEC_NAT_T
@@ -5501,7 +5476,6 @@ key_setident(sah, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_ident *idsrc, *iddst;
 	int idsrclen, iddstlen;
 
@@ -5624,7 +5598,6 @@ key_delete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -5770,7 +5743,6 @@ static int
 key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp,
     u_int16_t proto)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -5894,7 +5866,6 @@ key_get(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -6037,7 +6008,6 @@ key_getcomb_setlifetime(comb)
 static struct mbuf *
 key_getcomb_esp()
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct enc_xform *algo;
 	struct mbuf *result = NULL, *m, *n;
@@ -6116,7 +6086,6 @@ key_getsizes_ah(
 	u_int16_t* min,
 	u_int16_t* max)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	*min = *max = ah->keysize;
 	if (ah->keysize == 0) {
@@ -6142,7 +6111,6 @@ key_getsizes_ah(
 static struct mbuf *
 key_getcomb_ah()
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct auth_hash *algo;
 	struct mbuf *m;
@@ -6303,7 +6271,6 @@ key_getprop(saidx)
 static int
 key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secacq *newacq;
 	u_int8_t satype;
@@ -6474,7 +6441,6 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 static struct secacq *
 key_newacq(const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *newacq;
 
 	/* get new entry */
@@ -6501,7 +6467,6 @@ key_newacq(const struct secasindex *saidx)
 static struct secacq *
 key_getacq(const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -6518,7 +6483,6 @@ static struct secacq *
 key_getacqbyseq(seq)
 	u_int32_t seq;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -6535,7 +6499,6 @@ static struct secspacq *
 key_newspacq(spidx)
 	struct secpolicyindex *spidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	/* get new entry */
@@ -6562,7 +6525,6 @@ static struct secspacq *
 key_getspacq(spidx)
 	struct secpolicyindex *spidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	SPACQ_LOCK();
@@ -6597,7 +6559,6 @@ key_acquire2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -6756,7 +6717,6 @@ key_register(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg, *newreg = 0;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
@@ -6911,7 +6871,6 @@ key_register(so, m, mhp)
 void
 key_freereg(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg;
 	int i;
 
@@ -7087,7 +7046,6 @@ key_flush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
@@ -7171,7 +7129,6 @@ key_dump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int16_t proto;
@@ -7352,7 +7309,6 @@ key_parse(m, so)
 	struct mbuf *m;
 	struct socket *so;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *msg;
 	struct sadb_msghdr mh;
 	u_int orglen;
@@ -7624,7 +7580,6 @@ key_align(m, mhp)
 	struct mbuf *m;
 	struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *n;
 	struct sadb_ext *ext;
 	size_t off, end;
@@ -7792,26 +7747,8 @@ key_validate_ext(ext, len)
 void
 key_init(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int i;
 
-	V_key_debug_level = 0;
-	V_key_spi_trycnt = 1000;
-	V_key_spi_minval = 0x100;
-	V_key_spi_maxval = 0x0fffffff;	/* XXX */
-	V_policy_id = 0;
-	V_key_int_random = 60;		/*interval to initialize randseed,1(m)*/
-	V_key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
-	V_key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
-	V_key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
-	V_key_preferred_oldsa = 1;	/* preferred old sa rather than new sa*/
-
-	V_acq_seq = 0;
-
-	V_ipsec_esp_keymin = 256;
-	V_ipsec_esp_auth = 0;
-	V_ipsec_ah_keymin = 128;
-
 	for (i = 0; i < IPSEC_DIR_MAX; i++)
 		LIST_INIT(&V_sptree[i]);
 
@@ -7850,7 +7787,6 @@ key_init(void)
 void
 key_destroy(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp, *nextsp;
 	struct secspacq *acq, *nextacq;
 	struct secashead *sah, *nextsah;
@@ -7984,7 +7920,6 @@ void
 key_sa_routechange(dst)
 	struct sockaddr *dst;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct route *ro;
author	Robert Watson <rwatson@FreeBSD.org>	2009-07-14 22:48:30 +0000
committer	Robert Watson <rwatson@FreeBSD.org>	2009-07-14 22:48:30 +0000
commit	eddfbb763ded6b5f6777335142be9a0edab628bb (patch)
tree	13848f891fb2f7a396281b31633563d0f764ff65 /sys/netipsec/key.c
parent	2286fe763592aa13d320186bf3e233a560af749b (diff)