Merge more of currently non-functional (i.e. resolving to

whitespace) macros from p4/vimage branch.

Do a better job at enclosing all instantiations of globals
scheduled for virtualization in #ifdef VIMAGE_GLOBALS blocks.

De-virtualize and mark as const saorder_state_alive and
saorder_state_any arrays from ipsec code, given that they are never
updated at runtime, so virtualizing them would be pointless.

Reviewed by:  bz, julian
Approved by:  julian (mentor)
Obtained from:        //depot/projects/vimage-commit2/...
X-MFC after:  never
Sponsored by: NLnet Foundation, The FreeBSD Foundation

sys/kern/kern_poll.c

@@ -521,6 +521,7 @@ ether_poll_deregister(struct ifnet *ifp)
 static int
 poll_switch(SYSCTL_HANDLER_ARGS)
 {
+	INIT_VNET_NET(curvnet);
 	struct ifnet *ifp;
 	int error;
 	int val = polling;

sys/kern/kern_sysctl.c

@@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/mutex.h>
 #include <sys/sx.h>
 #include <sys/sysproto.h>
+#include <sys/vimage.h>
 
 #include <security/mac/mac_framework.h>
 
@@ -1413,6 +1414,7 @@ userland_sysctl(struct thread *td, int *name, u_int namelen, void *old,
 	req.lock = REQ_LOCKED;
 
 	SYSCTL_LOCK();
+	CURVNET_SET(TD_TO_VNET(curthread));
 
 	do {
 		req.oldidx = 0;
@@ -1423,6 +1425,7 @@ userland_sysctl(struct thread *td, int *name, u_int namelen, void *old,
 	if (req.lock == REQ_WIRED && req.validlen > 0)
 		vsunlock(req.oldptr, req.validlen);
 
+	CURVNET_RESTORE();
 	SYSCTL_UNLOCK();
 
 	if (error && error != ENOMEM)

sys/net/bpf.c

@@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sockio.h>
 #include <sys/ttycom.h>
 #include <sys/uio.h>
+#include <sys/vimage.h>
 
 #include <sys/event.h>
 #include <sys/file.h>
@@ -566,7 +567,9 @@ bpf_detachd(struct bpf_d *d)
 	 */
 	if (d->bd_promisc) {
 		d->bd_promisc = 0;
+		CURVNET_SET(ifp->if_vnet);
 		error = ifpromisc(ifp, 0);
+		CURVNET_RESTORE();
 		if (error != 0 && error != ENXIO) {
 			/*
 			 * ENXIO can happen if a pccard is unplugged
@@ -872,7 +875,9 @@ bpfwrite(struct cdev *dev, struct uio *uio, int ioflag)
 
 #ifdef MAC
 	BPFD_LOCK(d);
+	CURVNET_SET(ifp->if_vnet);
 	mac_bpfdesc_create_mbuf(d, m);
+	CURVNET_RESTORE();
 	if (mc != NULL)
 		mac_bpfdesc_create_mbuf(d, mc);
 	BPFD_UNLOCK(d);
@@ -993,6 +998,7 @@ bpfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags,
 			return (EPERM);
 		}
 	}
+	CURVNET_SET(TD_TO_VNET(td));
 	switch (cmd) {
 
 	default:
@@ -1322,6 +1328,7 @@ bpfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags,
 	case BIOCROTZBUF:
 		return (bpf_ioctl_rotzbuf(td, d, (struct bpf_zbuf *)addr));
 	}
+	CURVNET_RESTORE();
 	return (error);
 }
 

sys/net/if.c

@@ -192,7 +192,6 @@ ifnet_setbyindex(u_short idx, struct ifnet *ifp)
 struct ifaddr *
 ifaddr_byindex(u_short idx)
 {
-	INIT_VNET_NET(curvnet);
 	struct ifaddr *ifa;
 
 	IFNET_RLOCK();

sys/net/if_loop.c

@@ -105,6 +105,9 @@ IFC_SIMPLE_DECLARE(lo, 1);
 static void
 lo_clone_destroy(struct ifnet *ifp)
 {
+#ifdef INVARIANTS
+	INIT_VNET_NET(ifp->if_vnet);
+#endif
 
 	/* XXX: destroying lo0 will lead to panics. */
 	KASSERT(V_loif != ifp, ("%s: destroying lo0", __func__));
@@ -141,6 +144,7 @@ lo_clone_create(struct if_clone *ifc, int unit, caddr_t params)
 static int
 loop_modevent(module_t mod, int type, void *data)
 {
+	INIT_VNET_NET(curvnet);
 
 	switch (type) {
 	case MOD_LOAD:

sys/net/route.c

@@ -145,6 +145,7 @@ SYSCTL_PROC(_net, OID_AUTO, my_fibnum, CTLTYPE_INT|CTLFLAG_RD,
 static void
 route_init(void)
 {
+	INIT_VNET_INET(curvnet);
 	int table;
 	struct domain *dom;
 	int fam;

sys/netinet/if_ether.c

@@ -89,8 +89,8 @@ static int	useloopback; /* use loopback interface for local traffic */
 static int	arp_proxyall;
 #endif
 
-SYSCTL_INT(_net_link_ether_inet, OID_AUTO, max_age, CTLFLAG_RW, 
-	   &arpt_keep, 0, "ARP entry lifetime in seconds");
+SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, max_age,
+    CTLFLAG_RW, arpt_keep, 0, "ARP entry lifetime in seconds");
 
 #define	rt_expire rt_rmx.rmx_expire
 

sys/netinet/in_pcb.c

@@ -120,6 +120,7 @@ int	ipport_tcplastcount;
 static int
 sysctl_net_ipport_check(SYSCTL_HANDLER_ARGS)
 {
+	INIT_VNET_INET(curvnet);
 	int error;
 
 	error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
@@ -1474,7 +1475,7 @@ inp_apply_all(void (*func)(struct inpcb *, void *), void *arg)
 	struct inpcb *inp;
 
 	INP_INFO_RLOCK(&V_tcbinfo);
-	LIST_FOREACH(inp, tcbinfo.ipi_listhead, inp_list) {
+	LIST_FOREACH(inp, V_tcbinfo.ipi_listhead, inp_list) {
 		INP_WLOCK(inp);
 		func(inp, arg);
 		INP_WUNLOCK(inp);

sys/netinet/in_rmx.c

@@ -287,6 +287,7 @@ in_rtqtimo(void *rock)
 static void
 in_rtqtimo_one(void *rock)
 {
+	INIT_VNET_INET(curvnet);
 	struct radix_node_head *rnh = rock;
 	struct rtqk_arg arg;
 	static time_t last_adjusted_timeout = 0;
@@ -341,6 +342,7 @@ in_rtqdrain(void)
 	VNET_FOREACH(vnet_iter) {
 		CURVNET_SET(vnet_iter);
 		INIT_VNET_NET(vnet_iter);
+
 		for ( fibnum = 0; fibnum < rt_numfibs; fibnum++) {
 			rnh = V_rt_tables[fibnum][AF_INET];
 			arg.found = arg.killed = 0;

sys/netinet/ip_divert.c

@@ -581,6 +581,7 @@ div_ctlinput(int cmd, struct sockaddr *sa, void *vip)
 static int
 div_pcblist(SYSCTL_HANDLER_ARGS)
 {
+	INIT_VNET_INET(curvnet);
 	int error, i, n;
 	struct inpcb *inp, **inp_list;
 	inp_gen_t gencnt;

sys/netinet/ip_fw_pfil.c

@@ -487,6 +487,7 @@ ipfw6_unhook(void)
 int
 ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
 {
+	INIT_VNET_IPFW(curvnet);
 	int enable = *(int *)arg1;
 	int error;
 

sys/netinet/ip_output.c

@@ -791,6 +791,7 @@ done:
 void
 in_delayed_cksum(struct mbuf *m)
 {
+	INIT_VNET_INET(curvnet);
 	struct ip *ip;
 	u_short csum, offset;
 

sys/netinet/tcp_input.c

@@ -2986,6 +2986,7 @@ tcp_mss(struct tcpcb *tp, int offer)
 	int isipv6;
 #endif
 	KASSERT(tp != NULL, ("%s: tp == NULL", __func__));
+	INIT_VNET_INET(tp->t_vnet);
 	
 	tcp_mss_update(tp, offer, &metrics, &mtuflags);
 

sys/netinet/tcp_subr.c

@@ -130,7 +130,7 @@ static int	tcp_inflight_stab;
 static int
 sysctl_net_inet_tcp_mss_check(SYSCTL_HANDLER_ARGS)
 {
-	INIT_VNET_INET(TD_TO_VNET(curthread));
+	INIT_VNET_INET(curvnet);
 	int error, new;
 
 	new = V_tcp_mssdflt;
@@ -144,15 +144,16 @@ sysctl_net_inet_tcp_mss_check(SYSCTL_HANDLER_ARGS)
 	return (error);
 }
 
-SYSCTL_PROC(_net_inet_tcp, TCPCTL_MSSDFLT, mssdflt, CTLTYPE_INT|CTLFLAG_RW,
-	   &tcp_mssdflt, 0, &sysctl_net_inet_tcp_mss_check, "I",
-	   "Default TCP Maximum Segment Size");
+SYSCTL_V_PROC(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_MSSDFLT, mssdflt,
+    CTLTYPE_INT|CTLFLAG_RW, tcp_mssdflt, 0,
+    &sysctl_net_inet_tcp_mss_check, "I",
+    "Default TCP Maximum Segment Size");
 
 #ifdef INET6
 static int
 sysctl_net_inet_tcp_mss_v6_check(SYSCTL_HANDLER_ARGS)
 {
-	INIT_VNET_INET6(TD_TO_VNET(curthread));
+	INIT_VNET_INET6(curvnet);
 	int error, new;
 
 	new = V_tcp_v6mssdflt;
@@ -166,9 +167,10 @@ sysctl_net_inet_tcp_mss_v6_check(SYSCTL_HANDLER_ARGS)
 	return (error);
 }
 
-SYSCTL_PROC(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, CTLTYPE_INT|CTLFLAG_RW,
-	   &tcp_v6mssdflt, 0, &sysctl_net_inet_tcp_mss_v6_check, "I",
-	   "Default TCP Maximum Segment Size for IPv6");
+SYSCTL_V_PROC(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
+    CTLTYPE_INT|CTLFLAG_RW, tcp_v6mssdflt, 0,
+    &sysctl_net_inet_tcp_mss_v6_check, "I",
+   "Default TCP Maximum Segment Size for IPv6");
 #endif
 
 /*
@@ -225,9 +227,9 @@ static int	tcp_inflight_debug = 0;
 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW,
     &tcp_inflight_debug, 0, "Debug TCP inflight calculations");
 
-SYSCTL_PROC(_net_inet_tcp_inflight, OID_AUTO, rttthresh, CTLTYPE_INT|CTLFLAG_RW,
-    &tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks, "I",
-    "RTT threshold below which inflight will deactivate itself");
+SYSCTL_V_PROC(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, rttthresh,
+    CTLTYPE_INT|CTLFLAG_RW, tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks,
+    "I", "RTT threshold below which inflight will deactivate itself");
 
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, min,
     CTLFLAG_RW, tcp_inflight_min, 0, "Lower-bound for TCP inflight window");
@@ -947,6 +949,9 @@ static struct inpcb *
 tcp_notify(struct inpcb *inp, int error)
 {
 	struct tcpcb *tp;
+#ifdef INVARIANTS
+	INIT_VNET_INET(inp->inp_vnet); /* V_tcbinfo WLOCK ASSERT */
+#endif
 
 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
 	INP_WLOCK_ASSERT(inp);
@@ -1940,6 +1945,7 @@ int
 tcp_signature_compute(struct mbuf *m, int _unused, int len, int optlen,
     u_char *buf, u_int direction)
 {
+	INIT_VNET_IPSEC(curvnet);
 	union sockaddr_union dst;
 	struct ippseudo ippseudo;
 	MD5_CTX ctx;

sys/netinet/tcp_syncache.c

@@ -105,12 +105,12 @@ static int tcp_syncookiesonly;
 int tcp_sc_rst_sock_fail;
 #endif
 
-SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW,
-    &tcp_syncookies, 0,
+SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, syncookies,
+    CTLFLAG_RW, tcp_syncookies, 0,
     "Use TCP SYN cookies if the syncache overflows");
 
-SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_RW,
-    &tcp_syncookiesonly, 0,
+SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, syncookies_only,
+    CTLFLAG_RW, tcp_syncookiesonly, 0,
     "Use only TCP SYN cookies");
 
 #ifdef TCP_OFFLOAD_DISABLE
@@ -359,11 +359,13 @@ static void
 syncache_timer(void *xsch)
 {
 	struct syncache_head *sch = (struct syncache_head *)xsch;
-	INIT_VNET_INET(sch->sch_vnet);
 	struct syncache *sc, *nsc;
 	int tick = ticks;
 	char *s;
 
+	CURVNET_SET(sch->sch_vnet);
+	INIT_VNET_INET(sch->sch_vnet);
+
 	/* NB: syncache_head has already been locked by the callout. */
 	SCH_LOCK_ASSERT(sch);
 
@@ -412,6 +414,7 @@ syncache_timer(void *xsch)
 	if (!TAILQ_EMPTY(&(sch)->sch_bucket))
 		callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick,
 			syncache_timer, (void *)(sch));
+	CURVNET_RESTORE();
 }
 
 /*
@@ -836,7 +839,7 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 		 *  B. check that the syncookie is valid.  If it is, then
 		 *     cobble up a fake syncache entry, and return.
 		 */
-		if (!tcp_syncookies) {
+		if (!V_tcp_syncookies) {
 			SCH_UNLOCK(sch);
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
 				log(LOG_DEBUG, "%s; %s: Spurious ACK, "
@@ -929,6 +932,7 @@ int
 tcp_offload_syncache_expand(struct in_conninfo *inc, struct tcpopt *to,
     struct tcphdr *th, struct socket **lsop, struct mbuf *m)
 {
+	INIT_VNET_INET(curvnet);
 	int rc;
 	
 	INP_INFO_WLOCK(&V_tcbinfo);
@@ -1097,7 +1101,7 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 			syncache_drop(sc, sch);
 		sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
 		if (sc == NULL) {
-			if (tcp_syncookies) {
+			if (V_tcp_syncookies) {
 				bzero(&scs, sizeof(scs));
 				sc = &scs;
 			} else {
@@ -1206,7 +1210,7 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 	if ((th->th_flags & (TH_ECE|TH_CWR)) && V_tcp_do_ecn)
 		sc->sc_flags |= SCF_ECN;
 
-	if (tcp_syncookies) {
+	if (V_tcp_syncookies) {
 		syncookie_generate(sch, sc, &flowtmp);
 #ifdef INET6
 		if (autoflowlabel)
@@ -1225,7 +1229,7 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 	 * Do a standard 3-way handshake.
 	 */
 	if (TOEPCB_ISSET(sc) || syncache_respond(sc) == 0) {
-		if (tcp_syncookies && tcp_syncookiesonly && sc != &scs)
+		if (V_tcp_syncookies && V_tcp_syncookiesonly && sc != &scs)
 			syncache_free(sc);
 		else if (sc != &scs)
 			syncache_insert(sc, sch);   /* locks and unlocks sch */

sys/netinet/tcp_timewait.c

@@ -150,8 +150,8 @@ SYSCTL_PROC(_net_inet_tcp, OID_AUTO, maxtcptw, CTLTYPE_INT|CTLFLAG_RW,
     &maxtcptw, 0, sysctl_maxtcptw, "IU",
     "Maximum number of compressed TCP TIME_WAIT entries");
 
-SYSCTL_INT(_net_inet_tcp, OID_AUTO, nolocaltimewait, CTLFLAG_RW,
-    &nolocaltimewait, 0,
+SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, nolocaltimewait,
+    CTLFLAG_RW, nolocaltimewait, 0,
     "Do not create compressed TCP TIME_WAIT entries for local connections");
 
 void

sys/netinet/udp_usrreq.c

@@ -113,7 +113,8 @@ int	udp_log_in_vain = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW,
     &udp_log_in_vain, 0, "Log all incoming UDP packets");
 
-SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW, &udp_blackhole, 0,
+SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_udp, OID_AUTO, blackhole,
+    CTLFLAG_RW, udp_blackhole, 0,
     "Do not send port unreachables for refused connects");
 
 u_long	udp_sendspace = 9216;		/* really max datagram size */

sys/netinet/vinet.h

@@ -89,12 +89,16 @@ struct vnet_inet {
 	struct	tcpstat _tcpstat;	/* tcp statistics */
 	struct	tcp_hostcache _tcp_hostcache;
 	struct  callout _tcp_hc_callout;
+
 	struct	tcp_syncache _tcp_syncache;
+	int	_tcp_syncookies;
+	int	_tcp_syncookiesonly;
+	int	_tcp_sc_rst_sock_fail;
+
 	struct	inpcbhead _divcb;
 	struct	inpcbinfo _divcbinfo;
 	TAILQ_HEAD(, tcptw) _twq_2msl;
 
-	int	_tcp_sc_rst_sock_fail;
 	int	_tcp_mssdflt;
 	int	_tcp_v6mssdflt;
 	int	_tcp_minmss;
@@ -206,7 +210,6 @@ struct vnet_inet {
 #define	V_arp_maxtries		VNET_INET(arp_maxtries)
 #define	V_arp_proxyall		VNET_INET(arp_proxyall)
 #define	V_arpt_keep		VNET_INET(arpt_keep)
-#define	V_arpt_prune		VNET_INET(arpt_prune)
 #define	V_blackhole		VNET_INET(blackhole)
 #define	V_divcb			VNET_INET(divcb)
 #define	V_divcbinfo		VNET_INET(divcbinfo)

sys/netinet6/icmp6.c

@@ -108,12 +108,13 @@ __FBSDID("$FreeBSD$");
 #endif
 
 extern struct domain inet6domain;
+
+#ifdef VIMAGE_GLOBALS
 extern struct inpcbinfo ripcbinfo;
 extern struct inpcbhead ripcb;
 extern int icmp6errppslim;
 extern int icmp6_nodeinfo;
 
-#ifdef VIMAGE_GLOBALS
 struct icmp6stat icmp6stat;
 static int icmp6errpps_count;
 static struct timeval icmp6errppslim_last;

sys/netinet6/in6_ifattach.c

@@ -65,10 +65,9 @@ __FBSDID("$FreeBSD$");
 unsigned long in6_maxmtu;
 int ip6_auto_linklocal;
 struct callout in6_tmpaddrtimer_ch;
-#endif
-
 extern struct inpcbinfo udbinfo;
 extern struct inpcbinfo ripcbinfo;
+#endif
 
 static int get_rand_ifid(struct ifnet *, struct in6_addr *);
 static int generate_tmp_ifid(u_int8_t *, const u_int8_t *, u_int8_t *);

sys/netinet6/in6_proto.c

@@ -563,6 +563,6 @@ SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_icmp6, ICMPV6CTL_ND6_MAXNUDHINT,
 SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
 	nd6_debug, CTLFLAG_RW,	nd6_debug,		0, "");
 
-SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
-	nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0,
+SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
+	nd6_onlink_ns_rfc4861, CTLFLAG_RW, nd6_onlink_ns_rfc4861, 0,
 	"Accept 'on-link' nd6 NS in compliance with RFC 4861.");

sys/netinet6/in6_rmx.c

@@ -225,14 +225,14 @@ static int rtq_minreallyold6;
 static int rtq_toomany6;
 #endif
 
-SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTEXPIRE, rtexpire,
-	CTLFLAG_RW, &rtq_reallyold6 , 0, "");
+SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_RTEXPIRE,
+    rtexpire, CTLFLAG_RW, rtq_reallyold6 , 0, "");
 
-SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTMINEXPIRE, rtminexpire,
-	CTLFLAG_RW, &rtq_minreallyold6 , 0, "");
+SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_RTMINEXPIRE,
+    rtminexpire, CTLFLAG_RW, rtq_minreallyold6 , 0, "");
 
-SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RTMAXCACHE, rtmaxcache,
-	CTLFLAG_RW, &rtq_toomany6 , 0, "");
+SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_RTMAXCACHE,
+    rtmaxcache, CTLFLAG_RW, rtq_toomany6 , 0, "");
 
 
 /*

sys/netinet6/in6_src.c

@@ -462,7 +462,6 @@ selectroute(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts,
     struct ifnet **retifp, struct rtentry **retrt, int clone,
     int norouteok)
 {
-	INIT_VNET_NET(curvnet);
 	INIT_VNET_INET6(curvnet);
 	int error = 0;
 	struct ifnet *ifp = NULL;

sys/netinet6/nd6_nbr.c

@@ -153,7 +153,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len)
 			    "(wrong ip6 dst)\n"));
 			goto bad;
 		}
-	} else if (!nd6_onlink_ns_rfc4861) {
+	} else if (!V_nd6_onlink_ns_rfc4861) {
 		struct sockaddr_in6 src_sa6;
 
 		/*

sys/netinet6/nd6_rtr.c

@@ -85,9 +85,9 @@ static void in6_init_address_ltimes __P((struct nd_prefix *,
 
 static int rt6_deleteroute(struct radix_node *, void *);
 
+#ifdef VIMAGE_GLOBALS
 extern int nd6_recalc_reachtm_interval;
 
-#ifdef VIMAGE_GLOBALS
 static struct ifnet *nd6_defifp;
 int nd6_defifindex;
 

sys/netinet6/raw_ip6.c

@@ -112,15 +112,15 @@ __FBSDID("$FreeBSD$");
  * Raw interface to IP6 protocol.
  */
 
+#ifdef VIMAGE_GLOBALS
 extern struct	inpcbhead ripcb;
 extern struct	inpcbinfo ripcbinfo;
-extern u_long	rip_sendspace;
-extern u_long	rip_recvspace;
-
-#ifdef VIMAGE_GLOBALS
 struct rip6stat rip6stat;
 #endif
 
+extern u_long	rip_sendspace;
+extern u_long	rip_recvspace;
+
 /*
  * Hooks for multicast forwarding.
  */
@@ -765,7 +765,6 @@ static int
 rip6_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
     struct mbuf *control, struct thread *td)
 {
-	INIT_VNET_INET(so->so_vnet);
 	struct inpcb *inp;
 	struct sockaddr_in6 tmp;
 	struct sockaddr_in6 *dst;

sys/netipsec/ipsec.c

@@ -2009,7 +2009,7 @@ static void
 ipsec_attach(void)
 {
 	SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
-	ip4_def_policy.refcnt = 1;			/* NB: disallow free */
+	V_ip4_def_policy.refcnt = 1;			/* NB: disallow free */
 }
 SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL);
 

sys/netipsec/key.c

@@ -189,11 +189,11 @@ static const u_int saorder_state_valid_prefer_old[] = {
 static const u_int saorder_state_valid_prefer_new[] = {
 	SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
 };
-static u_int saorder_state_alive[] = {
+static const u_int saorder_state_alive[] = {
 	/* except DEAD */
 	SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
 };
-static u_int saorder_state_any[] = {
+static const u_int saorder_state_any[] = {
 	SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
 	SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD
 };
@@ -2699,9 +2699,9 @@ key_delsah(sah)
 
 	/* searching all SA registerd in the secindex. */
 	for (stateidx = 0;
-	     stateidx < _ARRAYLEN(V_saorder_state_any);
+	     stateidx < _ARRAYLEN(saorder_state_any);
 	     stateidx++) {
-		u_int state = V_saorder_state_any[stateidx];
+		u_int state = saorder_state_any[stateidx];
 		LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) {
 			if (sav->refcnt == 0) {
 				/* sanity check */
@@ -2985,10 +2985,10 @@ key_getsavbyspi(sah, spi)
 	SAHTREE_LOCK_ASSERT();
 	/* search all status */
 	for (stateidx = 0;
-	     stateidx < _ARRAYLEN(V_saorder_state_alive);
+	     stateidx < _ARRAYLEN(saorder_state_alive);
 	     stateidx++) {
 
-		state = V_saorder_state_alive[stateidx];
+		state = saorder_state_alive[stateidx];
 		LIST_FOREACH(sav, &sah->savtree[state], chain) {
 
 			/* sanity check */
@@ -4336,6 +4336,7 @@ key_timehandler(void)
 	VNET_ITERATOR_DECL(vnet_iter);
 	time_t now = time_second;
 
+	VNET_LIST_RLOCK();
 	VNET_FOREACH(vnet_iter) {
 		CURVNET_SET(vnet_iter);
 		key_flush_spd(now);
@@ -4344,6 +4345,7 @@ key_timehandler(void)
 		key_flush_spacq(now);
 		CURVNET_RESTORE();
 	}
+	VNET_LIST_RUNLOCK();
 
 #ifndef IPSEC_DEBUG2
 	/* do exchange to tick time !! */
@@ -5313,9 +5315,9 @@ key_delete_all(so, m, mhp, proto)
 
 		/* Delete all non-LARVAL SAs. */
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_alive);
+		     stateidx < _ARRAYLEN(saorder_state_alive);
 		     stateidx++) {
-			state = V_saorder_state_alive[stateidx];
+			state = saorder_state_alive[stateidx];
 			if (state == SADB_SASTATE_LARVAL)
 				continue;
 			for (sav = LIST_FIRST(&sah->savtree[state]);
@@ -6518,9 +6520,9 @@ key_flush(so, m, mhp)
 			continue;
 
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_alive);
+		     stateidx < _ARRAYLEN(saorder_state_alive);
 		     stateidx++) {
-			state = V_saorder_state_any[stateidx];
+			state = saorder_state_any[stateidx];
 			for (sav = LIST_FIRST(&sah->savtree[state]);
 			     sav != NULL;
 			     sav = nextsav) {
@@ -6603,9 +6605,9 @@ key_dump(so, m, mhp)
 			continue;
 
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_any);
+		     stateidx < _ARRAYLEN(saorder_state_any);
 		     stateidx++) {
-			state = V_saorder_state_any[stateidx];
+			state = saorder_state_any[stateidx];
 			LIST_FOREACH(sav, &sah->savtree[state], chain) {
 				cnt++;
 			}
@@ -6633,9 +6635,9 @@ key_dump(so, m, mhp)
 		}
 
 		for (stateidx = 0;
-		     stateidx < _ARRAYLEN(V_saorder_state_any);
+		     stateidx < _ARRAYLEN(saorder_state_any);
 		     stateidx++) {
-			state = V_saorder_state_any[stateidx];
+			state = saorder_state_any[stateidx];
 			LIST_FOREACH(sav, &sah->savtree[state], chain) {
 				n = key_setdumpsa(sav, SADB_DUMP, satype,
 				    --cnt, mhp->msg->sadb_msg_pid);

sys/netipsec/keysock.c

@@ -76,7 +76,7 @@ static struct key_cb key_cb;
 struct pfkeystat pfkeystat;
 #endif
 
-static struct sockaddr key_src = { 2, PF_KEY, };
+static struct sockaddr key_src = { 2, PF_KEY };
 
 static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
 
@@ -166,7 +166,7 @@ key_sendup0(rp, m, promisc)
 		V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
 	}
 
-	if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&V_key_src,
+	if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src,
 	    m, NULL)) {
 		V_pfkeystat.in_nomem++;
 		m_freem(m);

sys/netipsec/vipsec.h

@@ -81,8 +81,6 @@ struct vnet_ipsec {
 	int			_key_preferred_oldsa;
 	u_int32_t		_acq_seq;
 
-	u_int			_saorder_state_alive[3];
-	u_int			_saorder_state_any[4];
 	int			_esp_enable;
 	struct espstat		_espstat;
 	int			_esp_max_ivlen;
@@ -98,7 +96,6 @@ struct vnet_ipsec {
 	int			_ip6_ah_trans_deflev;
 	int			_ip6_ah_net_deflev;
 	int			_ip6_ipsec_ecn;
-	int			_ip6_esp_randpad;
 
 	int			_ah_enable;
 	int			_ah_cleartos;
@@ -109,9 +106,6 @@ struct vnet_ipsec {
 
 	struct pfkeystat	_pfkeystat;
 	struct key_cb		_key_cb;
-	struct sockaddr		_key_dst;
-	struct sockaddr		_key_src;
-
 	LIST_HEAD(, secpolicy)	_sptree[IPSEC_DIR_MAX];
 	LIST_HEAD(, secashead)	_sahtree;
 	LIST_HEAD(, secreg)	_regtree[SADB_SATYPE_MAX + 1];
@@ -168,20 +162,16 @@ struct vnet_ipsec {
 #define	V_key_blockacq_lifetime		VNET_IPSEC(key_blockacq_lifetime)
 #define	V_key_cb			VNET_IPSEC(key_cb)
 #define	V_key_debug_level		VNET_IPSEC(key_debug_level)
-#define	V_key_dst			VNET_IPSEC(key_dst)
 #define	V_key_int_random		VNET_IPSEC(key_int_random)
 #define	V_key_larval_lifetime		VNET_IPSEC(key_larval_lifetime)
 #define	V_key_preferred_oldsa		VNET_IPSEC(key_preferred_oldsa)
 #define	V_key_spi_maxval		VNET_IPSEC(key_spi_maxval)	
 #define	V_key_spi_minval		VNET_IPSEC(key_spi_minval)
 #define	V_key_spi_trycnt		VNET_IPSEC(key_spi_trycnt)
-#define	V_key_src			VNET_IPSEC(key_src)
 #define	V_pfkeystat			VNET_IPSEC(pfkeystat)
 #define	V_policy_id			VNET_IPSEC(policy_id)
 #define	V_regtree			VNET_IPSEC(regtree)
 #define	V_sahtree			VNET_IPSEC(sahtree)
-#define	V_saorder_state_alive		VNET_IPSEC(saorder_state_alive)
-#define	V_saorder_state_any		VNET_IPSEC(saorder_state_any)
 #define	V_spacqtree			VNET_IPSEC(spacqtree)
 #define	V_sptree			VNET_IPSEC(sptree)