Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Jul 2007 11:17:42 GMT
From:      Ana Kukec <anchie@FreeBSD.org>
To:        Perforce Change Reviews <perforce@FreeBSD.org>
Subject:   PERFORCE change 123432 for review
Message-ID:  <200707131117.l6DBHgma067776@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=123432

Change 123432 by anchie@anchie_malimis on 2007/07/13 11:16:45

		IPSec virtualization (ESP algorithm only).	

Affected files ...

.. //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#6 edit
.. //depot/projects/vimage/src/sys/netinet/tcp_input.c#16 edit
.. //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#14 edit
.. //depot/projects/vimage/src/sys/netinet6/ip6_ipsec.c#4 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec.c#6 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec.h#3 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_mbuf.c#3 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/key.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/key_debug.h#2 edit
.. //depot/projects/vimage/src/sys/netipsec/keysock.c#4 edit
.. //depot/projects/vimage/src/sys/netipsec/vipsec.h#1 add
.. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#3 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#3 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#2 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ipip.c#4 edit
.. //depot/projects/vimage/src/sys/sys/vimage.h#19 edit

Differences ...

==== //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#6 (text+ko) ====

@@ -62,6 +62,8 @@
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
 #include <netipsec/key.h>
+#include <netipsec/vipsec.h>
+#include <netipsec/vipsec.h>
 #endif /*IPSEC*/
 
 extern	struct protosw inetsw[];
@@ -94,7 +96,9 @@
 ip_ipsec_fwd(struct mbuf *m)
 {
 #ifdef IPSEC
+	INIT_VNET_IPSEC(curvnet);
 	INIT_VNET_INET(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
@@ -138,8 +142,10 @@
  * 1 = drop packet, 0 = continue processing packet.
  */
 int
+	INIT_VNET_IPSEC(curvnet);
 ip_ipsec_input(struct mbuf *m)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ip *ip = mtod(m, struct ip *);
 #ifdef IPSEC
 	struct m_tag *mtag;

==== //depot/projects/vimage/src/sys/netinet/tcp_input.c#16 (text+ko) ====

@@ -90,6 +90,7 @@
 #ifdef IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
+#include <netipsec/vipsec.h>
 #endif /*IPSEC*/
 
 #include <machine/in_cksum.h>
@@ -236,6 +237,7 @@
 #ifdef INET6
 	INIT_VNET_INET6(curvnet);
 #endif
+	INIT_VNET_IPSEC(curvnet);
 	struct tcphdr *th;
 	struct ip *ip = NULL;
 	struct ipovly *ipov;
@@ -468,7 +470,7 @@
 	} else
 #endif /* INET6 */
 	if (inp != NULL && ipsec4_in_reject(m, inp)) {
-		ipsec4stat.in_polvio++;
+		V_ipsec4stat.in_polvio++;
 		goto dropunlock;
 	}
 #endif /* IPSEC */

==== //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#14 (text+ko) ====

@@ -84,6 +84,7 @@
 
 #ifdef IPSEC
 #include <netipsec/ipsec.h>
+#include <netipsec/vipsec.h>
 #endif
 
 #include <machine/in_cksum.h>
@@ -508,6 +509,7 @@
     struct sockaddr_in *udp_in)
 {
 	INIT_VNET_INET(inp->inp_vnet);
+	INIT_VNET_IPSEC(inp->inp_vnet);
 	struct sockaddr *append_sa;
 	struct socket *so;
 	struct mbuf *opts = 0;
@@ -520,7 +522,7 @@
 #ifdef IPSEC
 	/* check AH/ESP integrity. */
 	if (ipsec4_in_reject(n, inp)) {
-		ipsec4stat.in_polvio++;
+		V_ipsec4stat.in_polvio++;
 		m_freem(n);
 		return;
 	}

==== //depot/projects/vimage/src/sys/netinet6/ip6_ipsec.c#4 (text+ko) ====

@@ -62,6 +62,7 @@
 #include <netipsec/ipsec6.h>
 #include <netipsec/xform.h>
 #include <netipsec/key.h>
+#include <netipsec/vipsec.h>
 #ifdef IPSEC_DEBUG
 #include <netipsec/key_debug.h>
 #else
@@ -103,6 +104,7 @@
 {
 #ifdef IPSEC
 	INIT_VNET_INET6(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
@@ -149,6 +151,7 @@
 
 {
 #ifdef IPSEC
+	INIT_VNET_IPSEC(curvnet);
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;

==== //depot/projects/vimage/src/sys/netipsec/ipsec.c#6 (text+ko) ====

@@ -37,6 +37,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_vimage.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -53,6 +54,7 @@
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
 #include <sys/proc.h>
+#include <sys/vimage.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -66,6 +68,7 @@
 #include <netinet/udp_var.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
+#include <netinet/vinet.h>
 
 #include <netinet/ip6.h>
 #ifdef INET6
@@ -91,18 +94,27 @@
 #include <netipsec/key_debug.h>
 
 #include <netipsec/xform.h>
+#include <netipsec/vipsec.h>
 
 #include <machine/in_cksum.h>
 
 #include <opencrypto/cryptodev.h>
 
+#ifndef VIMAGE
 #ifdef IPSEC_DEBUG
 int ipsec_debug = 1;
 #else
 int ipsec_debug = 0;
 #endif
+#endif
 
+static int  vnet_ipsec_iattach(void *);
+#ifdef VIMAGE
+static int vnet_ipsec_idetach(void *);
+#endif
+
 /* NB: name changed so netstat doesn't use it */
+#ifndef VIMAGE
 struct ipsecstat ipsec4stat;
 int ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
 int ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
@@ -112,7 +124,7 @@
 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 struct secpolicy ip4_def_policy;
 int ip4_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
-int ip4_esp_randpad = -1;
+int ip4_esp_randpad;
 /*
  * Crypto support requirements:
  *
@@ -121,52 +133,57 @@
  *  0	take anything
  */
 int	crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+#endif
 
 SYSCTL_DECL(_net_inet_ipsec);
 
 /* net.inet.ipsec */
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
-	def_policy, CTLFLAG_RW,	&ip4_def_policy.policy,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
-	CTLFLAG_RW, &ip4_esp_trans_deflev,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
-	CTLFLAG_RW, &ip4_esp_net_deflev,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
-	CTLFLAG_RW, &ip4_ah_trans_deflev,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
-	CTLFLAG_RW, &ip4_ah_net_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY,
+	def_policy, CTLFLAG_RW, ip4_def_policy.policy,  0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV,
+	esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV,
+	esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV,
+	ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
+	ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev,	0, "");
 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
 	ah_cleartos, CTLFLAG_RW,	&ah_cleartos,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
-	ah_offsetmask, CTLFLAG_RW,	&ip4_ah_offsetmask,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
-	dfbit, CTLFLAG_RW,	&ip4_ipsec_dfbit,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
-	ecn, CTLFLAG_RW,	&ip4_ipsec_ecn,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
-	debug, CTLFLAG_RW,	&ipsec_debug,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
-	esp_randpad, CTLFLAG_RW,	&ip4_esp_randpad,	0, "");
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
-	crypto_support,	CTLFLAG_RW,	&crypto_support,0, "");
-SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
-	ipsecstats,	CTLFLAG_RD,	&ipsec4stat, ipsecstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
+	ah_offsetmask, CTLFLAG_RW,	ip4_ah_offsetmask,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DFBIT,
+	dfbit, CTLFLAG_RW,	ip4_ipsec_dfbit,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_ECN,
+	ecn, CTLFLAG_RW,	ip4_ipsec_ecn,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG,
+	debug, CTLFLAG_RW,	ipsec_debug,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
+	esp_randpad, CTLFLAG_RW,	ip4_esp_randpad,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO,
+	crypto_support,	CTLFLAG_RW,	crypto_support,0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+	ipsecstats,	CTLFLAG_RD,	ipsec4stat, ipsecstat, "");
 
 #ifdef REGRESSION
 /*
  * When set to 1, IPsec will send packets with the same sequence number.
  * This allows to verify if the other side has proper replay attacks detection.
  */
+#ifndef VIMAGE
 int ipsec_replay = 0;
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0,
-    "Emulate replay attack");
+#endif
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
+	CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
 /*
  * When set 1, IPsec will send packets with corrupted HMAC.
  * This allows to verify if the other side properly detects modified packets.
  */
+#ifndef VIMAGE
 int ipsec_integrity = 0;
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
-    &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
+#endif
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
+	CTLFLAG_RW, &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
 #endif
 
 #ifdef INET6 
@@ -185,8 +202,12 @@
 SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
 	0,0, compat_ipsecstats_sysctl, "S", "");
 #endif /* COMPAT_KAME */
+/* XXX
 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
 	def_policy, CTLFLAG_RW,	&ip4_def_policy.policy,	0, "");
+*/
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
+	def_policy, CTLFLAG_RW,	ip4_def_policy.policy,	0, "");
 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
 	CTLFLAG_RW, &ip6_esp_trans_deflev,	0, "");
 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
@@ -197,14 +218,32 @@
 	CTLFLAG_RW, &ip6_ah_net_deflev,	0, "");
 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
 	ecn, CTLFLAG_RW,	&ip6_ipsec_ecn,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
-	debug, CTLFLAG_RW,	&ipsec_debug,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
+	debug, CTLFLAG_RW,	ipsec_debug,	0, "");
 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
 	esp_randpad, CTLFLAG_RW,	&ip6_esp_randpad,	0, "");
 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
 	ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
 #endif /* INET6 */
 
+#ifdef VIMAGE
+struct vnet_ipsec vnet_ipsec_0;
+
+struct vnet_symmap vnet_ipsec_symmap[] = {
+    VNET_SYMMAP_END
+};
+
+static struct vnet_modinfo vnet_ipsec_modinfo = {
+    .id     	= VNET_MOD_IPSEC,
+    .name       = "ipsec",
+    .symmap     = NULL,
+    .i_attach   = vnet_ipsec_iattach,
+    .i_detach   = vnet_ipsec_idetach
+};
+
+MALLOC_DEFINE(M_IPSEC, "ipsec", "IPSEC instance");
+#endif
+
 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
 #ifdef INET6
 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
@@ -232,12 +271,13 @@
 static struct secpolicy *
 key_allocsp_default(const char* where, int tag)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 		printf("DP key_allocsp_default from %s:%u\n", where, tag));
 
-	sp = &ip4_def_policy;
+	sp = &V_ip4_def_policy;
 	if (sp->policy != IPSEC_POLICY_DISCARD &&
 	    sp->policy != IPSEC_POLICY_NONE) {
 		ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
@@ -301,6 +341,7 @@
 	struct inpcb *inp;
 	int *error;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct inpcbpolicy *pcbsp = NULL;
 	struct secpolicy *currsp = NULL;	/* policy on socket */
 	struct secpolicy *sp;
@@ -411,6 +452,7 @@
 	int flag;
 	int *error;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicyindex spidx;
 	struct secpolicy *sp;
 
@@ -446,6 +488,7 @@
 	int *error;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	*error = 0;
@@ -455,7 +498,7 @@
 		sp = ipsec_getpolicybysock(m, dir, inp, error);
 	if (sp == NULL) {
 		IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
-		ipsec4stat.ips_out_inval++;
+		V_ipsec4stat.ips_out_inval++;
 		return NULL;
 	}
 	IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
@@ -465,7 +508,7 @@
 		printf("%s: invalid policy %u\n", __func__, sp->policy);
 		/* fall thru... */
 	case IPSEC_POLICY_DISCARD:
-		ipsec4stat.ips_out_polvio++;
+		V_ipsec4stat.ips_out_polvio++;
 		*error = -EINVAL;	/* packet is discarded by caller */
 		break;
 	case IPSEC_POLICY_BYPASS:
@@ -517,6 +560,7 @@
 	struct mbuf *m;
 	struct in6pcb *pcb;
 {
+	//INIT_VNET_IPSEC(curvnet);
 	struct secpolicyindex *spidx;
 	int error;
 
@@ -560,6 +604,7 @@
 	struct secpolicyindex *spidx;
 	int needport;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ip *ip = NULL;
 	struct ip ipbuf;
 	u_int v;
@@ -753,6 +798,7 @@
 	struct secpolicyindex *spidx;
 	int needport;
 {
+	INIT_VNET_IPSEC(curvnet);
 	int off, nxt;
 	struct tcphdr th;
 	struct udphdr uh;
@@ -869,6 +915,7 @@
 	struct socket *so;
 	struct inpcbpolicy **pcb_sp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct inpcbpolicy *new;
 
 	/* sanity check. */
@@ -1012,6 +1059,7 @@
 	size_t len;
 	int priv;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *newsp = NULL;
 	int error;
@@ -1058,6 +1106,7 @@
 	struct secpolicy *pcb_sp;
 	struct mbuf **mp;
 {
+	INIT_VNET_IPSEC(curvnet);
 
 	/* sanity check. */
 	if (pcb_sp == NULL || mp == NULL)
@@ -1084,6 +1133,7 @@
 	size_t len;
 	int priv;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
 
@@ -1118,6 +1168,7 @@
 	size_t len;
 	struct mbuf **mp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *pcb_sp;
 
@@ -1177,6 +1228,7 @@
 	size_t len;
 	int priv;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
 
@@ -1211,6 +1263,7 @@
 	size_t len;
 	struct mbuf **mp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *pcb_sp;
 
@@ -1269,6 +1322,7 @@
 ipsec_get_reqlevel(isr)
 	struct ipsecrequest *isr;
 {
+	INIT_VNET_IPSEC(curvnet);
 	u_int level = 0;
 	u_int esp_trans_deflev, esp_net_deflev;
 	u_int ah_trans_deflev, ah_net_deflev;
@@ -1283,7 +1337,7 @@
 #define IPSEC_CHECK_DEFAULT(lev) \
 	(((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE	      \
 			&& (lev) != IPSEC_LEVEL_UNIQUE)			      \
-		? (ipsec_debug						      \
+		? (V_ipsec_debug						      \
 			? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
 				(lev), IPSEC_LEVEL_REQUIRE)		      \
 			: 0),						      \
@@ -1295,10 +1349,10 @@
 	switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
 #ifdef INET
 	case AF_INET:
-		esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
-		esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
-		ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
-		ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
+		esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev);
+		esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_net_deflev);
+		ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_trans_deflev);
+		ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_net_deflev);
 		break;
 #endif
 #ifdef INET6
@@ -1373,6 +1427,7 @@
 int
 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	int need_auth;
 
@@ -1448,6 +1503,7 @@
 	struct mbuf *m;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	int result;
@@ -1466,7 +1522,7 @@
 	if (sp != NULL) {
 		result = ipsec_in_reject(sp, m);
 		if (result)
-			ipsec4stat.ips_in_polvio++;
+			V_ipsec4stat.ips_in_polvio++;
 		KEY_FREESP(&sp);
 	} else {
 		result = 0;	/* XXX should be panic ?
@@ -1523,6 +1579,7 @@
 static size_t
 ipsec_hdrsiz(struct secpolicy *sp)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	size_t siz;
 
@@ -1585,6 +1642,7 @@
 	u_int dir;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	size_t size;
@@ -1623,6 +1681,7 @@
 	u_int dir;
 	struct in6pcb *in6p;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	size_t size;
@@ -1724,6 +1783,7 @@
 	u_int32_t seq;
 	struct secasvar *sav;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secreplay *replay;
 	u_int32_t diff;
 	int fr;
@@ -1932,9 +1992,71 @@
 static void
 ipsec_attach(void)
 {
-	SECPOLICY_LOCK_INIT(&ip4_def_policy);
-	ip4_def_policy.refcnt = 1;			/* NB: disallow free */
+#ifdef VIMAGE
+	vnet_mod_register(&vnet_ipsec_modinfo);
+#else
+	vnet_ipsec_iattach(NULL);
+#endif
+}
+
+static int
+vnet_ipsec_iattach(unused)
+	void *unused;
+{
+#ifdef VIMAGE
+	struct vnet_ipsec *vnet_ipsec;
+
+    if (curvnet == &vnet_0) {
+        vnet_ipsec = &vnet_ipsec_0;
+    } else {
+        vnet_ipsec = malloc(sizeof(struct vnet_ipsec),
+                   M_IPSEC, M_NOWAIT | M_ZERO);
+        if (vnet_ipsec == NULL)
+            panic("couldn't allocate memory for vnet_ipsec");
+    }
+    curvnet->mod_data[vnet_ipsec_modinfo.id] = vnet_ipsec;
+    vnet_ipsec->parent_vnet = curvnet;
+#endif
+
+	#ifdef IPSEC_DEBUG
+	V_ipsec_debug = 1;
+	#else
+	V_ipsec_debug = 0;
+	#endif
+
+	SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
+	V_ip4_def_policy.refcnt = 1;			/* NB: disallow free */
+
+	V_ip4_ah_offsetmask = 0;  /* maybe IP_DF? */
+	V_ip4_ipsec_dfbit = 0;    /* DF bit on encap. 0: clear 1: set 2: copy */
+	V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
+	V_ip4_ipsec_ecn = 0;
+
+	V_ip4_esp_randpad = -1;
+	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+	V_ipsec_replay = 0;
+	V_ipsec_integrity = 0;
+
+	return 0;
+}
+
+/* XXX finish this! */
+#ifdef VIMAGE
+static int
+vnet_ipsec_idetach(unused)
+	void *unused;
+{
+	INIT_VNET_IPSEC(curvnet);
+
+	curvnet->mod_data[vnet_ipsec_modinfo.id] = NULL;
+	free((caddr_t)vnet_ipsec, M_IPSEC);
+
+	return 0;
 }
+#endif
 SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL)
 
 

==== //depot/projects/vimage/src/sys/netipsec/ipsec.h#3 (text+ko) ====

@@ -345,9 +345,9 @@
 extern int ip4_esp_randpad;
 extern int crypto_support;
 
-#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)
+#define ipseclog(x)	do { if (V_ipsec_debug) log x; } while (0)
 /* for openbsd compatibility */
-#define	DPRINTF(x)	do { if (ipsec_debug) printf x; } while (0)
+#define	DPRINTF(x)	do { if (V_ipsec_debug) printf x; } while (0)
 
 extern	struct ipsecrequest *ipsec_newisr(void);
 extern	void ipsec_delisr(struct ipsecrequest *);

==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#5 (text+ko) ====

@@ -90,6 +90,7 @@
 #include <netipsec/keydb.h>
 
 #include <netipsec/xform.h>
+#include <netipsec/vipsec.h>
 #include <netinet6/ip6protosw.h>
 
 #include <machine/in_cksum.h>
@@ -109,12 +110,13 @@
 static int
 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 {
+	INIT_VNET_IPSEC(curvnet);
 	union sockaddr_union dst_address;
 	struct secasvar *sav;
 	u_int32_t spi;
 	int error;
 
-	IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input,
+	IPSEC_ISTAT(sproto, V_espstat.esps_input, ahstat.ahs_input,
 		ipcompstat.ipcomps_input);
 
 	IPSEC_ASSERT(m != NULL, ("null packet"));
@@ -123,18 +125,18 @@
 		sproto == IPPROTO_IPCOMP,
 		("unexpected security protocol %u", sproto));
 
-	if ((sproto == IPPROTO_ESP && !esp_enable) ||
+	if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
 	    (sproto == IPPROTO_AH && !ah_enable) ||
 	    (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
 		m_freem(m);
-		IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops,
+		IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops,
 		    ipcompstat.ipcomps_pdrops);
 		return EOPNOTSUPP;
 	}
 
 	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
 		m_freem(m);
-		IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
+		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
 		    ipcompstat.ipcomps_hdrops);
 		DPRINTF(("%s: packet too small\n", __func__));
 		return EINVAL;
@@ -180,7 +182,7 @@
 	default:
 		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
 		m_freem(m);
-		IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf,
+		IPSEC_ISTAT(sproto, V_espstat.esps_nopf, ahstat.ahs_nopf,
 		    ipcompstat.ipcomps_nopf);
 		return EPFNOSUPPORT;
 	}
@@ -191,7 +193,7 @@
 		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
 			  __func__, ipsec_address(&dst_address),
 			  (u_long) ntohl(spi), sproto));
-		IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb,
+		IPSEC_ISTAT(sproto, V_espstat.esps_notdb, ahstat.ahs_notdb,
 		    ipcompstat.ipcomps_notdb);
 		m_freem(m);
 		return ENOENT;
@@ -201,7 +203,7 @@
 		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
 			 __func__, ipsec_address(&dst_address),
 			 (u_long) ntohl(spi), sproto));
-		IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform,
+		IPSEC_ISTAT(sproto, V_espstat.esps_noxform, ahstat.ahs_noxform,
 		    ipcompstat.ipcomps_noxform);
 		KEY_FREESAV(&sav);
 		m_freem(m);
@@ -278,6 +280,7 @@
 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 			int skip, int protoff, struct m_tag *mt)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int prot, af, sproto;
 	struct ip *ip;
 	struct m_tag *mtag;
@@ -306,7 +309,7 @@
 	/* Sanity check */
 	if (m == NULL) {
 		DPRINTF(("%s: null mbuf", __func__));
-		IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
+		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
 		    ipcompstat.ipcomps_badkcr);
 		KEY_FREESAV(&sav);
 		return EINVAL;
@@ -318,7 +321,7 @@
 			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
 			    __func__, ipsec_address(&sav->sah->saidx.dst),
 			    (u_long) ntohl(sav->spi)));
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = ENOBUFS;
 			goto bad;
@@ -340,7 +343,7 @@
 		struct ip ipn;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
 			    ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
@@ -371,7 +374,7 @@
 			    ipsp_address(saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTAT(sproto, espstat.esps_pdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
 			    ahstat.ahs_pdrops,
 			    ipcompstat.ipcomps_pdrops);
 			error = EACCES;
@@ -384,7 +387,7 @@
 		struct ip6_hdr ip6n;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
 			    ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
@@ -413,7 +416,7 @@
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTAT(sproto, espstat.esps_pdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
 			    ahstat.ahs_pdrops,
 			    ipcompstat.ipcomps_pdrops);
 			error = EACCES;
@@ -436,7 +439,7 @@
 		    sizeof(struct tdb_ident), M_NOWAIT);
 		if (mtag == NULL) {
 			DPRINTF(("%s: failed to get tag\n", __func__));
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
 			    ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
 			error = ENOMEM;
 			goto bad;
@@ -471,7 +474,7 @@
 	 * Re-dispatch via software interrupt.
 	 */
 	if ((error = netisr_queue(NETISR_IP, m))) {
-		IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull,
+		IPSEC_ISTAT(sproto, V_espstat.esps_qfull, ahstat.ahs_qfull,
 			    ipcompstat.ipcomps_qfull);
 
 		DPRINTF(("%s: queue full; proto %u packet dropped\n",
@@ -496,6 +499,7 @@
 int
 ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
 {
+	INIT_VNET_IPSEC(curvnet);
 	int l = 0;
 	int protoff;
 	struct ip6_ext ip6e;
@@ -525,7 +529,7 @@
 		if (protoff + l != *offp) {
 			DPRINTF(("%s: bad packet header chain, protoff %u, "
 				"l %u, off %u\n", __func__, protoff, l, *offp));
-			IPSEC_ISTAT(proto, espstat.esps_hdrops,
+			IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
 				    ahstat.ahs_hdrops,
 				    ipcompstat.ipcomps_hdrops);
 			m_freem(*mp);
@@ -547,6 +551,7 @@
     struct m_tag *mt)
 {
 	INIT_VNET_INET6(curvnet);
+	INIT_VNET_IPSEC(curvnet);
 	int prot, af, sproto;
 	struct ip6_hdr *ip6;
 	struct m_tag *mtag;
@@ -573,7 +578,7 @@
 	/* Sanity check */
 	if (m == NULL) {
 		DPRINTF(("%s: null mbuf", __func__));
-		IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
+		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
 		    ipcompstat.ipcomps_badkcr);
 		error = EINVAL;
 		goto bad;
@@ -587,7 +592,7 @@
 		    __func__, ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
 
-		IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
+		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
 		    ipcompstat.ipcomps_hdrops);
 		error = EACCES;
 		goto bad;
@@ -606,7 +611,7 @@
 		struct ip ipn;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
 			    ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
@@ -633,7 +638,7 @@
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTATsproto, (espstat.esps_pdrops,
+			IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
 			    ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
 			error = EACCES;
 			goto bad;
@@ -646,7 +651,7 @@
 		struct ip6_hdr ip6n;
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
 			    ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
@@ -675,7 +680,7 @@
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
 
-			IPSEC_ISTAT(sproto, espstat.esps_pdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
 			    ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
 			error = EACCES;
 			goto bad;
@@ -696,7 +701,7 @@
 		    sizeof(struct tdb_ident), M_NOWAIT);
 		if (mtag == NULL) {
 			DPRINTF(("%s: failed to get tag\n", __func__));
-			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
 			    ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
 			error = ENOMEM;
 			goto bad;

==== //depot/projects/vimage/src/sys/netipsec/ipsec_mbuf.c#3 (text+ko) ====

@@ -31,16 +31,19 @@
  */
 
 #include "opt_param.h"
+#include "opt_vimage.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
+#include <sys/vimage.h>
 
 #include <net/route.h>
 #include <netinet/in.h>
 
 #include <netipsec/ipsec.h>
+#include <netipsec/vipsec.h>
 
 /*
  * Make space for a new header of length hlen at skip bytes
@@ -53,6 +56,7 @@
 struct mbuf *
 m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m;
 	unsigned remain;
 
@@ -88,7 +92,7 @@
 			return (NULL);
 		n->m_next = m->m_next;		/* splice new mbuf */
 		m->m_next = n;
-		ipsec4stat.ips_mbinserted++;
+		V_ipsec4stat.ips_mbinserted++;
 		if (hlen <= M_TRAILINGSPACE(m) + remain) {
 			/*
 			 * New header fits in the old mbuf if we copy
@@ -122,7 +126,7 @@
 				/* splice in second mbuf */
 				n2->m_next = n->m_next;
 				n->m_next = n2;
-				ipsec4stat.ips_mbinserted++;
+				V_ipsec4stat.ips_mbinserted++;
 			} else {
 				memcpy(mtod(n, caddr_t) + hlen,
 				       mtod(m, caddr_t) + skip, remain);
@@ -155,6 +159,7 @@
 caddr_t
 m_pad(struct mbuf *m, int n)
 {
+	INIT_VNET_IPSEC(curvnet);
 	register struct mbuf *m0, *m1;
 	register int len, pad;
 	caddr_t retval;
@@ -227,6 +232,7 @@
 int
 m_striphdr(struct mbuf *m, int skip, int hlen)
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m1;
 	int roff;
 
@@ -238,7 +244,7 @@
 	/* Remove the header and associated data from the mbuf. */
 	if (roff == 0) {
 		/* The header was at the beginning of the mbuf */
-		ipsec4stat.ips_input_front++;
+		V_ipsec4stat.ips_input_front++;
 		m_adj(m1, hlen);
 		if ((m1->m_flags & M_PKTHDR) == 0)
 			m->m_pkthdr.len -= hlen;
@@ -250,7 +256,7 @@
 		 * so first let's remove the remainder of the header from
 		 * the beginning of the remainder of the mbuf chain, if any.
 		 */
-		ipsec4stat.ips_input_end++;
+		V_ipsec4stat.ips_input_end++;
 		if (roff + hlen > m1->m_len) {
 			/* Adjust the next mbuf by the remainder */
 			m_adj(m1->m_next, roff + hlen - m1->m_len);
@@ -275,7 +281,7 @@
 		 * The header lies in the "middle" of the mbuf; copy
 		 * the remainder of the mbuf down over the header.
 		 */
-		ipsec4stat.ips_input_middle++;
+		V_ipsec4stat.ips_input_middle++;
 		bcopy(mtod(m1, u_char *) + roff + hlen,
 		      mtod(m1, u_char *) + roff,
 		      m1->m_len - (roff + hlen));

==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#5 (text+ko) ====

@@ -81,12 +81,14 @@
 #include <netipsec/key.h>
 #include <netipsec/keydb.h>
 #include <netipsec/key_debug.h>
+#include <netipsec/vipsec.h>
 
 #include <machine/in_cksum.h>

>>> TRUNCATED FOR MAIL (1000 lines) <<<



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707131117.l6DBHgma067776>