Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Oct 2008 10:43:19 GMT
From:      Marko Zec <zec@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 152202 for review
Message-ID:  <200810301043.m9UAhJZc007882@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=152202

Change 152202 by zec@zec_tpx32 on 2008/10/30 10:42:19

	Initialize all V_ variables in initializer functions (like
	       ip_init() etc.) instead of using initialization at instantiation,
	in IPSEC related code (sys/netipsec).
	
	       Enclose all the affected V_ globals in #ifdef VIMAGE_GLOBALS, so
	that in next step we can simplify switching from globals to vimage
	       structures / containers.

Affected files ...

.. //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.c#13 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.h#6 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/key.c#14 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/keysock.c#9 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/vipsec.h#5 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ah.c#10 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_esp.c#11 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipcomp.c#9 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipip.c#9 edit

Differences ...

==== //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.c#13 (text+ko) ====

@@ -97,23 +97,19 @@
 
 #include <opencrypto/cryptodev.h>
 
-#ifdef IPSEC_DEBUG
-int ipsec_debug = 1;
-#else
-int ipsec_debug = 0;
-#endif
-
+#ifdef VIMAGE_GLOBALS
 /* NB: name changed so netstat doesn't use it */
 struct ipsecstat ipsec4stat;
-int ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
-int ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
-int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
-int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
-int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
-int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 struct secpolicy ip4_def_policy;
-int ip4_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
-int ip4_esp_randpad = -1;
+int ipsec_debug;
+int ip4_ah_offsetmask;
+int ip4_ipsec_dfbit;
+int ip4_esp_trans_deflev;
+int ip4_esp_net_deflev;
+int ip4_ah_trans_deflev;
+int ip4_ah_net_deflev;
+int ip4_ipsec_ecn;
+int ip4_esp_randpad;
 /*
  * Crypto support requirements:
  *
@@ -121,7 +117,8 @@
  * -1	require software support
  *  0	take anything
  */
-int	crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+int	crypto_support;
+#endif /* VIMAGE_GLOBALS */
 
 SYSCTL_DECL(_net_inet_ipsec);
 
@@ -164,29 +161,33 @@
 	"IPsec IPv4 statistics.");
 
 #ifdef REGRESSION
+#ifdef VIMAGE_GLOBALS
+int ipsec_replay;
+int ipsec_integrity;
+#endif
 /*
  * When set to 1, IPsec will send packets with the same sequence number.
  * This allows to verify if the other side has proper replay attacks detection.
  */
-int ipsec_replay = 0;
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
 	CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
 /*
  * When set 1, IPsec will send packets with corrupted HMAC.
  * This allows to verify if the other side properly detects modified packets.
  */
-int ipsec_integrity = 0;
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
 	CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack");
 #endif
 
 #ifdef INET6 
+#ifdef VIMAGE_GLOBALS
 struct ipsecstat ipsec6stat;
-int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
-int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
-int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
-int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
-int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+int ip6_esp_trans_deflev;
+int ip6_esp_net_deflev;
+int ip6_ah_trans_deflev;
+int ip6_ah_net_deflev;
+int ip6_ipsec_ecn;
+#endif
 
 SYSCTL_DECL(_net_inet6_ipsec6);
 
@@ -242,6 +243,39 @@
 
 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
 
+void
+ipsec_init(void)
+{
+	INIT_VNET_IPSEC(curvnet);
+
+#ifdef IPSEC_DEBUG
+	V_ipsec_debug = 1;
+#else
+	V_ipsec_debug = 0;
+#endif
+
+	V_ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
+	V_ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
+	V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+	V_ip4_esp_randpad = -1;
+	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+
+#ifdef REGRESSION
+	V_ipsec_replay = 0;
+	V_ipsec_integrity = 0;
+#endif
+
+	V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+}
+
 /*
  * Return a held reference to the default SP.
  */

==== //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.h#6 (text+ko) ====

@@ -359,6 +359,7 @@
 extern	void ipsec_delisr(struct ipsecrequest *);
 
 struct tdb_ident;
+extern void ipsec_init(void);
 extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int));
 struct inpcb;
 extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int,

==== //depot/projects/vimage-commit2/src/sys/netipsec/key.c#14 (text+ko) ====

@@ -113,20 +113,31 @@
  *   field hits 0 (= no external reference other than from SA header.
  */
 
-u_int32_t key_debug_level = 0;
-static u_int key_spi_trycnt = 1000;
-static u_int32_t key_spi_minval = 0x100;
-static u_int32_t key_spi_maxval = 0x0fffffff;	/* XXX */
-static u_int32_t policy_id = 0;
-static u_int key_int_random = 60;	/*interval to initialize randseed,1(m)*/
-static u_int key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
-static int key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
-static int key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
-static int key_preferred_oldsa = 1;	/* preferred old sa rather than new sa.*/
+#ifdef VIMAGE_GLOBALS
+u_int32_t key_debug_level;
+static u_int key_spi_trycnt;
+static u_int32_t key_spi_minval;
+static u_int32_t key_spi_maxval;
+static u_int32_t policy_id;
+static u_int key_int_random;
+static u_int key_larval_lifetime;
+static int key_blockacq_count;
+static int key_blockacq_lifetime;
+static int key_preferred_oldsa;
+
+static u_int32_t acq_seq;
 
-static u_int32_t acq_seq = 0;
+static int ipsec_esp_keymin;
+static int ipsec_esp_auth;
+static int ipsec_ah_keymin;
 
 static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX];	/* SPD */
+static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
+static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
+static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
+static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
+#endif /* VIMAGE_GLOBALS */
+
 static struct mtx sptree_lock;
 #define	SPTREE_LOCK_INIT() \
 	mtx_init(&sptree_lock, "sptree", \
@@ -136,7 +147,6 @@
 #define	SPTREE_UNLOCK()	mtx_unlock(&sptree_lock)
 #define	SPTREE_LOCK_ASSERT()	mtx_assert(&sptree_lock, MA_OWNED)
 
-static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
 static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_INIT() \
 	mtx_init(&sahtree_lock, "sahtree", \
@@ -147,7 +157,6 @@
 #define	SAHTREE_LOCK_ASSERT()	mtx_assert(&sahtree_lock, MA_OWNED)
 
 							/* registed list */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
 static struct mtx regtree_lock;
 #define	REGTREE_LOCK_INIT() \
 	mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -156,7 +165,6 @@
 #define	REGTREE_UNLOCK()	mtx_unlock(&regtree_lock)
 #define	REGTREE_LOCK_ASSERT()	mtx_assert(&regtree_lock, MA_OWNED)
 
-static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
 static struct mtx acq_lock;
 #define	ACQ_LOCK_INIT() \
 	mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -165,7 +173,6 @@
 #define	ACQ_UNLOCK()		mtx_unlock(&acq_lock)
 #define	ACQ_LOCK_ASSERT()	mtx_assert(&acq_lock, MA_OWNED)
 
-static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
 static struct mtx spacq_lock;
 #define	SPACQ_LOCK_INIT() \
 	mtx_init(&spacq_lock, "spacqtree", \
@@ -236,10 +243,6 @@
 	sizeof(struct sadb_x_sa2),	/* SADB_X_SA2 */
 };
 
-static int ipsec_esp_keymin = 256;
-static int ipsec_esp_auth = 0;
-static int ipsec_ah_keymin = 128;
-
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
 #endif
@@ -2696,9 +2699,9 @@
 
 	/* searching all SA registerd in the secindex. */
 	for (stateidx = 0;
-	     stateidx < _ARRAYLEN(V_saorder_state_any);
+	     stateidx < _ARRAYLEN(saorder_state_any);
 	     stateidx++) {
-		u_int state = V_saorder_state_any[stateidx];
+		u_int state = saorder_state_any[stateidx];
 		LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) {
 			if (sav->refcnt == 0) {
 				/* sanity check */
@@ -2982,10 +2985,10 @@
 	SAHTREE_LOCK_ASSERT();
 	/* search all status */
 	for (stateidx = 0;
-	     stateidx < _ARRAYLEN(V_saorder_state_alive);
+	     stateidx < _ARRAYLEN(saorder_state_alive);
 	     stateidx++) {
 
-		state = V_saorder_state_alive[stateidx];
+		state = saorder_state_alive[stateidx];
 		LIST_FOREACH(sav, &sah->savtree[state], chain) {
 
 			/* sanity check */
@@ -5310,9 +5313,9 @@
 
 		/* Delete all non-LARVAL SAs. */
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_alive);
+		     stateidx < _ARRAYLEN(saorder_state_alive);
 		     stateidx++) {
-			state = V_saorder_state_alive[stateidx];
+			state = saorder_state_alive[stateidx];
 			if (state == SADB_SASTATE_LARVAL)
 				continue;
 			for (sav = LIST_FIRST(&sah->savtree[state]);
@@ -6515,9 +6518,9 @@
 			continue;
 
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_alive);
+		     stateidx < _ARRAYLEN(saorder_state_alive);
 		     stateidx++) {
-			state = V_saorder_state_any[stateidx];
+			state = saorder_state_any[stateidx];
 			for (sav = LIST_FIRST(&sah->savtree[state]);
 			     sav != NULL;
 			     sav = nextsav) {
@@ -6600,9 +6603,9 @@
 			continue;
 
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_any);
+		     stateidx < _ARRAYLEN(saorder_state_any);
 		     stateidx++) {
-			state = V_saorder_state_any[stateidx];
+			state = saorder_state_any[stateidx];
 			LIST_FOREACH(sav, &sah->savtree[state], chain) {
 				cnt++;
 			}
@@ -6630,9 +6633,9 @@
 		}
 
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_any);
+		     stateidx < _ARRAYLEN(saorder_state_any);
 		     stateidx++) {
-			state = V_saorder_state_any[stateidx];
+			state = saorder_state_any[stateidx];
 			LIST_FOREACH(sav, &sah->savtree[state], chain) {
 				n = key_setdumpsa(sav, SADB_DUMP, satype,
 				    --cnt, mhp->msg->sadb_msg_pid);
@@ -7184,6 +7187,23 @@
 	INIT_VNET_IPSEC(curvnet);
 	int i;
 
+	V_key_debug_level = 0;
+	V_key_spi_trycnt = 1000;
+	V_key_spi_minval = 0x100;
+	V_key_spi_maxval = 0x0fffffff;	/* XXX */
+	V_policy_id = 0;
+	V_key_int_random = 60;		/*interval to initialize randseed,1(m)*/
+	V_key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
+	V_key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
+	V_key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
+	V_key_preferred_oldsa = 1;	/* preferred old sa rather than new sa*/
+
+	V_acq_seq = 0;
+
+	V_ipsec_esp_keymin = 256;
+	V_ipsec_esp_auth = 0;
+	V_ipsec_ah_keymin = 128;
+
 	SPTREE_LOCK_INIT();
 	REGTREE_LOCK_INIT();
 	SAHTREE_LOCK_INIT();

==== //depot/projects/vimage-commit2/src/sys/netipsec/keysock.c#9 (text+ko) ====

@@ -70,14 +70,16 @@
 	int key_count;
 	int any_count;
 };
+
+#ifdef VIMAGE_GLOBALS
 static struct key_cb key_cb;
+struct pfkeystat pfkeystat;
+#endif
 
 static struct sockaddr key_src = { 2, PF_KEY, };
 
 static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
 
-struct pfkeystat pfkeystat;
-
 /*
  * key_output()
  */
@@ -164,7 +166,7 @@
 		V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
 	}
 
-	if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&V_key_src,
+	if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src,
 	    m, NULL)) {
 		V_pfkeystat.in_nomem++;
 		m_freem(m);
@@ -570,7 +572,9 @@
 key_init0(void)
 {
 	INIT_VNET_IPSEC(curvnet);
+
 	bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
+	ipsec_init();
 	key_init();
 }
 

==== //depot/projects/vimage-commit2/src/sys/netipsec/vipsec.h#5 (text+ko) ====

@@ -81,8 +81,6 @@
 	int			_key_preferred_oldsa;
 	u_int32_t		_acq_seq;
 
-	u_int			_saorder_state_alive[3];
-	u_int			_saorder_state_any[4];
 	int			_esp_enable;
 	struct espstat		_espstat;
 	int			_esp_max_ivlen;
@@ -98,7 +96,6 @@
 	int			_ip6_ah_trans_deflev;
 	int			_ip6_ah_net_deflev;
 	int			_ip6_ipsec_ecn;
-	int			_ip6_esp_randpad;
 
 	int			_ah_enable;
 	int			_ah_cleartos;
@@ -109,8 +106,6 @@
 
 	struct pfkeystat	_pfkeystat;
 	struct key_cb		_key_cb;
-	struct sockaddr		_key_dst;
-	struct sockaddr		_key_src;
 
 	LIST_HEAD(, secpolicy)	_sptree[IPSEC_DIR_MAX];
 	LIST_HEAD(, secashead)	_sahtree;
@@ -149,7 +144,6 @@
 #define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
 #define	V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
 #define	V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
-#define	V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
 #define	V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
 #define	V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
 #define	V_ipcomp_enable			VNET_IPSEC(ipcomp_enable)
@@ -168,20 +162,16 @@
 #define	V_key_blockacq_lifetime		VNET_IPSEC(key_blockacq_lifetime)
 #define	V_key_cb			VNET_IPSEC(key_cb)
 #define	V_key_debug_level		VNET_IPSEC(key_debug_level)
-#define	V_key_dst			VNET_IPSEC(key_dst)
 #define	V_key_int_random		VNET_IPSEC(key_int_random)
 #define	V_key_larval_lifetime		VNET_IPSEC(key_larval_lifetime)
 #define	V_key_preferred_oldsa		VNET_IPSEC(key_preferred_oldsa)
 #define	V_key_spi_maxval		VNET_IPSEC(key_spi_maxval)	
 #define	V_key_spi_minval		VNET_IPSEC(key_spi_minval)
 #define	V_key_spi_trycnt		VNET_IPSEC(key_spi_trycnt)
-#define	V_key_src			VNET_IPSEC(key_src)
 #define	V_pfkeystat			VNET_IPSEC(pfkeystat)
 #define	V_policy_id			VNET_IPSEC(policy_id)
 #define	V_regtree			VNET_IPSEC(regtree)
 #define	V_sahtree			VNET_IPSEC(sahtree)
-#define	V_saorder_state_alive		VNET_IPSEC(saorder_state_alive)
-#define	V_saorder_state_any		VNET_IPSEC(saorder_state_any)
 #define	V_spacqtree			VNET_IPSEC(spacqtree)
 #define	V_sptree			VNET_IPSEC(sptree)
 

==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ah.c#10 (text+ko) ====

@@ -88,9 +88,11 @@
 #define	AUTHSIZE(sav) \
 	((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
 
-int	ah_enable = 1;			/* control flow of packets with AH */
-int	ah_cleartos = 1;		/* clear ip_tos when doing AH calc */
+#ifdef VIMAGE_GLOBALS
+int	ah_enable;
+int	ah_cleartos;
 struct	ahstat ahstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ah);
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
@@ -1217,6 +1219,10 @@
 static void
 ah_attach(void)
 {
+
+	V_ah_enable = 1;	/* control flow of packets with AH */
+	V_ah_cleartos = 1;	/* clear ip_tos when doing AH calc */
+
 	xform_register(&ah_xformsw);
 }
 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);

==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_esp.c#11 (text+ko) ====

@@ -76,8 +76,11 @@
 #include <opencrypto/cryptodev.h>
 #include <opencrypto/xform.h>
 
-int	esp_enable = 1;
+#ifdef VIMAGE_GLOBALS
 struct	espstat espstat;
+static	int esp_max_ivlen;		/* max iv length over all algorithms */
+int	esp_enable;
+#endif
 
 SYSCTL_DECL(_net_inet_esp);
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
@@ -85,8 +88,6 @@
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
 	stats,		CTLFLAG_RD,	espstat,	espstat, "");
 
-static	int esp_max_ivlen;		/* max iv length over all algorithms */
-
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
 
@@ -993,7 +994,9 @@
 	if (xform.blocksize > V_esp_max_ivlen)		\
 		V_esp_max_ivlen = xform.blocksize		\
 
+	V_esp_enable = 1;
 	V_esp_max_ivlen = 0;
+
 	MAXIV(enc_xform_des);		/* SADB_EALG_DESCBC */
 	MAXIV(enc_xform_3des);		/* SADB_EALG_3DESCBC */
 	MAXIV(enc_xform_rijndael128);	/* SADB_X_EALG_AES */

==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipcomp.c#9 (text+ko) ====

@@ -67,8 +67,10 @@
 #include <opencrypto/deflate.h>
 #include <opencrypto/xform.h>
 
-int	ipcomp_enable = 0;
+#ifdef VIMAGE_GLOBALS
+int	ipcomp_enable;
 struct	ipcompstat ipcompstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ipcomp);
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
@@ -597,6 +599,8 @@
 static void
 ipcomp_attach(void)
 {
+
+	V_ipcomp_enable = 0;
 	xform_register(&ipcomp_xformsw);
 }
 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);

==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipip.c#9 (text+ko) ====

@@ -91,8 +91,10 @@
  * We can control the acceptance of IP4 packets by altering the sysctl
  * net.inet.ipip.allow value.  Zero means drop them, all else is acceptance.
  */
-int	ipip_allow = 0;
+#ifdef VIMAGE_GLOBALS
+int	ipip_allow;
 struct	ipipstat ipipstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ipip);
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO,
@@ -694,6 +696,9 @@
 static void
 ipe4_attach(void)
 {
+
+	V_ipip_allow = 0;
+
 	xform_register(&ipe4_xformsw);
 	/* attach to encapsulation framework */
 	/* XXX save return cookie for detach on module remove */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810301043.m9UAhJZc007882>