First pass at separating per-vnet initializer functions

from existing functions for initializing global state. At this stage, the new per-vnet initializer functions are directly called from the existing global initialization code, which should in most cases result in compiler inlining those new functions, hence yielding a near-zero functional change. Modify the existing initializer functions which are invoked via protosw, like ip_init() et. al., to allow them to be invoked multiple times, i.e. per each vnet. Global state, if any, is initialized only if such functions are called within the context of vnet0, which will be determined via the IS_DEFAULT_VNET(curvnet) check (currently always true). While here, V_irtualize a few remaining global UMA zones used by net/netinet/netipsec networking code. While it is not yet clear to me or anybody else whether this is the right thing to do, at this stage this makes the code more readable, and makes it easier to track uncollected UMA-zone-backed objects on vnet removal. In the long run, it's quite possible that some form of shared use of UMA zone pools among multiple vnets should be considered. Bump __FreeBSD_version due to changes in layout of structs vnet_ipfw, vnet_inet and vnet_net. Approved by: julian (mentor)
2009-04-06 22:29:41 +00:00 · 2009-04-06 22:29:41 +00:00 · c85551e0bc
commit c85551e0bc
parent f28ea657e9
25 changed files with 287 additions and 125 deletions
--- a/sys/net/if.c
+++ b/sys/net/if.c
@ -150,6 +150,8 @@ static int	if_getgroupmembers(struct ifgroupreq *);
 extern void	nd6_setmtu(struct ifnet *);
 #endif

+static int	vnet_net_iattach(const void *);
+
 #ifdef VIMAGE_GLOBALS
 struct	ifnethead ifnet;	/* depend on static init XXX */
 struct	ifgrouphead ifg_head;
@ -391,24 +393,33 @@ filt_netdev(struct knote *kn, long hint)
 static void
 if_init(void *dummy __unused)
 {
-	INIT_VNET_NET(curvnet);

 #ifndef VIMAGE_GLOBALS
 	vnet_mod_register(&vnet_net_modinfo);
 #endif
+	vnet_net_iattach(NULL);
+
+	IFNET_LOCK_INIT();
+	ifdev_setbyindex(0, make_dev(&net_cdevsw, 0, UID_ROOT, GID_WHEEL,
+	    0600, "network"));
+	if_clone_init();
+}
+
+static int
+vnet_net_iattach(const void *unused __unused)
+{
+	INIT_VNET_NET(curvnet);

 	V_if_index = 0;
 	V_ifindex_table = NULL;
 	V_if_indexlim = 8;

-	IFNET_LOCK_INIT();
 	TAILQ_INIT(&V_ifnet);
 	TAILQ_INIT(&V_ifg_head);
 	knlist_init(&V_ifklist, NULL, NULL, NULL, NULL);
 	if_grow();				/* create initial table */
-	ifdev_setbyindex(0, make_dev(&net_cdevsw, 0, UID_ROOT, GID_WHEEL,
-	    0600, "network"));
-	if_clone_init();
+
+	return (0);
 }

 static void
--- a/sys/net/if_gif.c
+++ b/sys/net/if_gif.c
@ -121,6 +121,7 @@ void	(*ng_gif_detach_p)(struct ifnet *ifp);
 static void	gif_start(struct ifnet *);
 static int	gif_clone_create(struct if_clone *, int, caddr_t);
 static void	gif_clone_destroy(struct ifnet *);
+static int	vnet_gif_iattach(const void *);

 IFC_SIMPLE_DECLARE(gif, 0);

@ -250,6 +251,26 @@ gif_clone_destroy(ifp)
 	free(sc, M_GIF);
 }

+static int
+vnet_gif_iattach(const void *unused __unused)
+{
+	INIT_VNET_GIF(curvnet);
+
+	LIST_INIT(&V_gif_softc_list);
+	V_max_gif_nesting = MAX_GIF_NEST;
+#ifdef XBONEHACK
+	V_parallel_tunnels = 1;
+#else
+	V_parallel_tunnels = 0;
+#endif
+	V_ip_gif_ttl = GIF_TTL;
+#ifdef INET6
+	V_ip6_gif_hlim = GIF_HLIM;
+#endif
+  
+	return (0);
+}
+
 static int
 gifmodevent(mod, type, data)
 	module_t mod;
@ -261,19 +282,7 @@ gifmodevent(mod, type, data)
 	case MOD_LOAD:
 		mtx_init(&gif_mtx, "gif_mtx", NULL, MTX_DEF);

-		LIST_INIT(&V_gif_softc_list);
-		V_max_gif_nesting = MAX_GIF_NEST;
-#ifdef XBONEHACK
-		V_parallel_tunnels = 1;
-#else
-		V_parallel_tunnels = 0;
-#endif
-#ifdef INET
-		V_ip_gif_ttl = GIF_TTL;
-#endif
-#ifdef INET6
-		V_ip6_gif_hlim = GIF_HLIM;
-#endif
+		vnet_gif_iattach(NULL);
 		if_clone_attach(&gif_cloner);

 		break;
@ -281,7 +290,7 @@ gifmodevent(mod, type, data)
 		if_clone_detach(&gif_cloner);
 		mtx_destroy(&gif_mtx);
 #ifdef INET6
-		V_ip6_gif_hlim = 0;
+		V_ip6_gif_hlim = 0;	/* XXX -> vnet_gif_idetach() */
 #endif
 		break;
 	default:
--- a/sys/net/if_loop.c
+++ b/sys/net/if_loop.c
@ -105,6 +105,7 @@ int		looutput(struct ifnet *ifp, struct mbuf *m,
 		    struct sockaddr *dst, struct rtentry *rt);
 static int	lo_clone_create(struct if_clone *, int, caddr_t);
 static void	lo_clone_destroy(struct ifnet *);
+static int	vnet_loif_iattach(const void *);

 #ifdef VIMAGE_GLOBALS
 struct ifnet *loif;			/* Used externally */
@ -153,6 +154,15 @@ lo_clone_create(struct if_clone *ifc, int unit, caddr_t params)
 	return (0);
 }

+static int vnet_loif_iattach(const void *unused __unused)
+{
+	INIT_VNET_NET(curvnet);
+
+	V_loif = NULL;
+	if_clone_attach(&lo_cloner);
+	return (0);
+}
+
 static int
 loop_modevent(module_t mod, int type, void *data)
 {
@ -160,8 +170,7 @@ loop_modevent(module_t mod, int type, void *data)

 	switch (type) {
 	case MOD_LOAD:
-		V_loif = NULL;
-		if_clone_attach(&lo_cloner);
+		vnet_loif_iattach(NULL);
 		break;

 	case MOD_UNLOAD:
--- a/sys/net/route.c
+++ b/sys/net/route.c
@ -106,6 +106,7 @@ static int	rttrash;		/* routes not in table but not freed */

 static void rt_maskedcopy(struct sockaddr *,
 	    struct sockaddr *, struct sockaddr *);
+static int vnet_route_iattach(const void *);

 /* compare two sockaddr structures */
 #define	sa_equal(a1, a2) (bcmp((a1), (a2), (a1)->sa_len) == 0)
@ -122,7 +123,9 @@ static void rt_maskedcopy(struct sockaddr *,
 */
 #define RNTORT(p)	((struct rtentry *)(p))

+#ifdef VIMAGE_GLOBALS
 static uma_zone_t rtzone;		/* Routing table UMA zone. */
+#endif

 #if 0
 /* default fib for tunnels to use */
@ -150,20 +153,26 @@ SYSCTL_PROC(_net, OID_AUTO, my_fibnum, CTLTYPE_INT|CTLFLAG_RD,
 static void
 route_init(void)
 {
-	INIT_VNET_INET(curvnet);
-	int table;
-	struct domain *dom;
-	int fam;

 	/* whack the tunable ints into  line. */
 	if (rt_numfibs > RT_MAXFIBS)
 		rt_numfibs = RT_MAXFIBS;
 	if (rt_numfibs == 0)
 		rt_numfibs = 1;
-	rtzone = uma_zcreate("rtentry", sizeof(struct rtentry), NULL, NULL,
-	    NULL, NULL, UMA_ALIGN_PTR, 0);
 	rn_init();	/* initialize all zeroes, all ones, mask table */

+	vnet_route_iattach(NULL);
+}
+
+static int vnet_route_iattach(const void *unused __unused)
+{
+	INIT_VNET_INET(curvnet);
+	int table;
+	struct domain *dom;
+	int fam;
+
+	V_rtzone = uma_zcreate("rtentry", sizeof(struct rtentry), NULL, NULL,
+	    NULL, NULL, UMA_ALIGN_PTR, 0);
 	for (dom = domains; dom; dom = dom->dom_next) {
 		if (dom->dom_rtattach)  {
 			for  (table = 0; table < rt_numfibs; table++) {
@ -186,6 +195,8 @@ route_init(void)
 			}
 		}
 	}
+
+	return (0);
 }

 #ifndef _SYS_SYSPROTO_H_
@ -402,7 +413,7 @@ rtfree(struct rtentry *rt)
 		 * and the rtentry itself of course
 		 */
 		RT_LOCK_DESTROY(rt);
-		uma_zfree(rtzone, rt);
+		uma_zfree(V_rtzone, rt);
 		return;
 	}
 done:
@ -958,7 +969,7 @@ rtrequest1_fib(int req, struct rt_addrinfo *info, struct rtentry **ret_nrt,
 		if (info->rti_ifa == NULL && (error = rt_getifa_fib(info, fibnum)))
 			senderr(error);
 		ifa = info->rti_ifa;
-		rt = uma_zalloc(rtzone, M_NOWAIT | M_ZERO);
+		rt = uma_zalloc(V_rtzone, M_NOWAIT | M_ZERO);
 		if (rt == NULL)
 			senderr(ENOBUFS);
 		RT_LOCK_INIT(rt);
@ -971,7 +982,7 @@ rtrequest1_fib(int req, struct rt_addrinfo *info, struct rtentry **ret_nrt,
 		RT_LOCK(rt);
 		if ((error = rt_setgate(rt, dst, gateway)) != 0) {
 			RT_LOCK_DESTROY(rt);
-			uma_zfree(rtzone, rt);
+			uma_zfree(V_rtzone, rt);
 			senderr(error);
 		}

@ -1006,7 +1017,7 @@ rtrequest1_fib(int req, struct rt_addrinfo *info, struct rtentry **ret_nrt,
 			}
 			Free(rt_key(rt));
 			RT_LOCK_DESTROY(rt);
-			uma_zfree(rtzone, rt);
+			uma_zfree(V_rtzone, rt);
 			senderr(EEXIST);
 		}
 #endif
@ -1022,7 +1033,7 @@ rtrequest1_fib(int req, struct rt_addrinfo *info, struct rtentry **ret_nrt,
 				IFAFREE(rt->rt_ifa);
 			Free(rt_key(rt));
 			RT_LOCK_DESTROY(rt);
-			uma_zfree(rtzone, rt);
+			uma_zfree(V_rtzone, rt);
 			senderr(EEXIST);
 		}

--- a/sys/net/vnet.h
+++ b/sys/net/vnet.h
@ -47,6 +47,7 @@ struct vnet_net {
 	struct	rtstat _rtstat;
 	struct	radix_node_head *_rt_tables[RT_MAXFIBS][AF_MAX+1];
 	int	_rttrash;
+	uma_zone_t _rtzone;

 	struct	ifnet *_loif;
 	LIST_HEAD(, lo_softc) _lo_list;
@ -86,5 +87,6 @@ extern struct vnet_net vnet_net_0;
 #define	V_rt_tables	VNET_NET(rt_tables)
 #define	V_rtstat	VNET_NET(rtstat)
 #define	V_rttrash	VNET_NET(rttrash)
+#define	V_rtzone	VNET_NET(rtzone)

 #endif /* !_NET_VNET_H_ */
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@ -111,6 +111,7 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, proxyall,
 	"Enable proxy ARP for all suitable requests");

 static void	arp_init(void);
+static int	arp_iattach(const void *);
 void		arprequest(struct ifnet *,
 			struct in_addr *, struct in_addr *, u_char *);
 static void	arpintr(struct mbuf *);
@ -790,8 +791,8 @@ arp_ifinit2(struct ifnet *ifp, struct ifaddr *ifa, u_char *enaddr)
 	ifa->ifa_rtrequest = NULL;
 }

-static void
-arp_init(void)
+static int
+arp_iattach(const void *unused __unused)
 {
 	INIT_VNET_INET(curvnet);

@ -800,6 +801,15 @@ arp_init(void)
 	V_useloopback = 1; /* use loopback interface for local traffic */
 	V_arp_proxyall = 0;

+	return (0);
+}
+
+static void
+arp_init(void)
+{
+
+	arp_iattach(NULL);
+
 	arpintrq.ifq_maxlen = 50;
 	mtx_init(&arpintrq.ifq_mtx, "arp_inq", NULL, MTX_DEF);
 	netisr_register(NETISR_ARP, arpintr, &arpintrq, 0);
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@ -698,6 +698,7 @@ struct vnet_ipfw {
 	int	_fw_debug;		/* actually unused */
 	int	_autoinc_step;
 	ipfw_dyn_rule **_ipfw_dyn_v;
+	uma_zone_t _ipfw_dyn_rule_zone;
 	struct ip_fw_chain _layer3_chain;
 	u_int32_t _dyn_buckets;
 	u_int32_t _curr_dyn_buckets;
@ -742,6 +743,7 @@ extern struct vnet_ipfw vnet_ipfw_0;
 #define	V_fw_debug		VNET_IPFW(fw_debug)
 #define	V_autoinc_step		VNET_IPFW(autoinc_step)
 #define	V_ipfw_dyn_v		VNET_IPFW(ipfw_dyn_v)
+#define	V_ipfw_dyn_rule_zone	VNET_IPFW(ipfw_dyn_rule_zone)
 #define	V_layer3_chain		VNET_IPFW(layer3_chain)
 #define	V_dyn_buckets		VNET_IPFW(dyn_buckets)
 #define	V_curr_dyn_buckets	VNET_IPFW(curr_dyn_buckets)
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -242,6 +242,7 @@ ip_init(void)
 	V_rsvp_on = 0;
 	V_ip_defttl = IPDEFTTL;
 	V_ip_do_randomid = 0;
+	V_ip_id = time_second & 0xffff;
 	V_ipforwarding = 0;
 	V_ipstealth = 0;
 	V_nipq = 0;	/* Total # of reass queues */
@ -270,6 +271,20 @@ ip_init(void)

 	TAILQ_INIT(&V_in_ifaddrhead);
 	V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &V_in_ifaddrhmask);
+
+	/* Initialize IP reassembly queue. */
+	for (i = 0; i < IPREASS_NHASH; i++)
+		TAILQ_INIT(&V_ipq[i]);
+	V_maxnipq = nmbclusters / 32;
+	V_maxfragsperpacket = 16;
+	V_ipq_zone = uma_zcreate("ipq", sizeof(struct ipq), NULL, NULL, NULL,
+	    NULL, UMA_ALIGN_PTR, 0);
+	maxnipq_update();
+
+	/* Skip initialization of globals for non-default instances. */
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
 	pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
 	if (pr == NULL)
 		panic("ip_init: PF_INET not found");
@ -297,16 +312,6 @@ ip_init(void)
 		printf("%s: WARNING: unable to register pfil hook, "
 			"error %d\n", __func__, i);

-	/* Initialize IP reassembly queue. */
-	IPQ_LOCK_INIT();
-	for (i = 0; i < IPREASS_NHASH; i++)
-	    TAILQ_INIT(&V_ipq[i]);
-	V_maxnipq = nmbclusters / 32;
-	V_maxfragsperpacket = 16;
-	V_ipq_zone = uma_zcreate("ipq", sizeof(struct ipq), NULL, NULL, NULL,
-	    NULL, UMA_ALIGN_PTR, 0);
-	maxnipq_update();
-
 	/* Start ipport_tick. */
 	callout_init(&ipport_tick_callout, CALLOUT_MPSAFE);
 	ipport_tick(NULL);
@ -316,7 +321,7 @@ ip_init(void)
 		NULL, EVENTHANDLER_PRI_ANY);

 	/* Initialize various other remaining things. */
-	V_ip_id = time_second & 0xffff;
+	IPQ_LOCK_INIT();
 	ipintrq.ifq_maxlen = ipqmaxlen;
 	mtx_init(&ipintrq.ifq_mtx, "ip_inq", NULL, MTX_DEF);
 	netisr_register(NETISR_IP, ip_input, &ipintrq, 0);
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@ -108,10 +108,12 @@ tcp_reass_zone_change(void *tag)
 	INIT_VNET_INET(curvnet);

 	V_tcp_reass_maxseg = nmbclusters / 16;
-	uma_zone_set_max(tcp_reass_zone, V_tcp_reass_maxseg);
+	uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
 }

+#ifdef VIMAGE_GLOBALS
 uma_zone_t	tcp_reass_zone;
+#endif

 void
 tcp_reass_init(void)
@ -126,9 +128,9 @@ tcp_reass_init(void)
 	V_tcp_reass_maxseg = nmbclusters / 16;
 	TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
 	    &V_tcp_reass_maxseg);
-	tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+	V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
-	uma_zone_set_max(tcp_reass_zone, V_tcp_reass_maxseg);
+	uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
 	EVENTHANDLER_REGISTER(nmbclusters_change,
 	    tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
 }
@ -180,7 +182,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
 	 * Allocate a new queue entry. If we can't, or hit the zone limit
 	 * just drop the pkt.
 	 */
-	te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
+	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
 	if (te == NULL) {
 		V_tcpstat.tcps_rcvmemdrop++;
 		m_freem(m);
@ -213,7 +215,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
 				V_tcpstat.tcps_rcvduppack++;
 				V_tcpstat.tcps_rcvdupbyte += *tlenp;
 				m_freem(m);
-				uma_zfree(tcp_reass_zone, te);
+				uma_zfree(V_tcp_reass_zone, te);
 				tp->t_segqlen--;
 				V_tcp_reass_qsize--;
 				/*
@ -250,7 +252,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
 		nq = LIST_NEXT(q, tqe_q);
 		LIST_REMOVE(q, tqe_q);
 		m_freem(q->tqe_m);
-		uma_zfree(tcp_reass_zone, q);
+		uma_zfree(V_tcp_reass_zone, q);
 		tp->t_segqlen--;
 		V_tcp_reass_qsize--;
 		q = nq;
@ -287,7 +289,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int *tlenp, struct mbuf *m)
 			m_freem(q->tqe_m);
 		else
 			sbappendstream_locked(&so->so_rcv, q->tqe_m);
-		uma_zfree(tcp_reass_zone, q);
+		uma_zfree(V_tcp_reass_zone, q);
 		tp->t_segqlen--;
 		V_tcp_reass_qsize--;
 		q = nq;
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@ -123,9 +123,8 @@ __FBSDID("$FreeBSD$");

 #include <machine/in_cksum.h>

-extern struct uma_zone *sack_hole_zone;
-
 #ifdef VIMAGE_GLOBALS
+extern struct uma_zone *sack_hole_zone;
 int tcp_do_sack;
 int tcp_sack_maxholes;
 int tcp_sack_globalmaxholes;
@ -265,7 +264,7 @@ tcp_sackhole_alloc(struct tcpcb *tp, tcp_seq start, tcp_seq end)
 		return NULL;
 	}

-	hole = (struct sackhole *)uma_zalloc(sack_hole_zone, M_NOWAIT);
+	hole = (struct sackhole *)uma_zalloc(V_sack_hole_zone, M_NOWAIT);
 	if (hole == NULL)
 		return NULL;

@ -287,7 +286,7 @@ tcp_sackhole_free(struct tcpcb *tp, struct sackhole *hole)
 {
 	INIT_VNET_INET(tp->t_vnet);

-	uma_zfree(sack_hole_zone, hole);
+	uma_zfree(V_sack_hole_zone, hole);

 	tp->snd_numholes--;
 	V_tcp_sack_globalholes--;
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -243,7 +243,9 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, stab,
    CTLFLAG_RW, tcp_inflight_stab, 0,
    "Inflight Algorithm Stabilization 20 = 2 packets");

+#ifdef VIMAGE_GLOBALS
 uma_zone_t sack_hole_zone;
+#endif

 static struct inpcb *tcp_notify(struct inpcb *, int);
 static void	tcp_isn_tick(void *);
@ -269,7 +271,9 @@ struct tcpcb_mem {
 	struct	tcp_timer	tt;
 };

+#ifdef VIMAGE_GLOBALS
 static uma_zone_t tcpcb_zone;
+#endif
 MALLOC_DEFINE(M_TCPLOG, "tcplog", "TCP address and flags print buffers");
 struct callout isn_callout;
 static struct mtx isn_mtx;
@ -286,7 +290,7 @@ tcp_zone_change(void *tag)
 {

 	uma_zone_set_max(V_tcbinfo.ipi_zone, maxsockets);
-	uma_zone_set_max(tcpcb_zone, maxsockets);
+	uma_zone_set_max(V_tcpcb_zone, maxsockets);
 	tcp_tw_zone_change();
 }

@ -348,18 +352,7 @@ tcp_init(void)
 	V_tcp_sack_globalmaxholes = 65536;
 	V_tcp_sack_globalholes = 0;

-	tcp_delacktime = TCPTV_DELACK;
-	tcp_keepinit = TCPTV_KEEP_INIT;
-	tcp_keepidle = TCPTV_KEEP_IDLE;
-	tcp_keepintvl = TCPTV_KEEPINTVL;
-	tcp_maxpersistidle = TCPTV_KEEP_IDLE;
-	tcp_msl = TCPTV_MSL;
-	tcp_rexmit_min = TCPTV_MIN;
-	if (tcp_rexmit_min < 1)
-		tcp_rexmit_min = 1;
-	tcp_rexmit_slop = TCPTV_CPU_VAR;
 	V_tcp_inflight_rttthresh = TCPTV_INFLIGHT_RTTTHRESH;
-	tcp_finwait2_timeout = TCPTV_FINWAIT2_TIMEOUT;

 	TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);

@ -372,7 +365,6 @@ tcp_init(void)
 		printf("WARNING: TCB hash size not a power of 2\n");
 		hashsize = 512; /* safe default */
 	}
-	tcp_tcbhashsize = hashsize;
 	V_tcbinfo.ipi_hashbase = hashinit(hashsize, M_PCB,
 	    &V_tcbinfo.ipi_hashmask);
 	V_tcbinfo.ipi_porthashbase = hashinit(hashsize, M_PCB,
@ -380,6 +372,37 @@ tcp_init(void)
 	V_tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb),
 	    NULL, NULL, tcp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
 	uma_zone_set_max(V_tcbinfo.ipi_zone, maxsockets);
+	/*
+	 * These have to be type stable for the benefit of the timers.
+	 */
+	V_tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem),
+	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+	uma_zone_set_max(V_tcpcb_zone, maxsockets);
+	tcp_tw_init();
+	syncache_init();
+	tcp_hc_init();
+	tcp_reass_init();
+	V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
+	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+
+	/* Skip initialization of globals for non-default instances. */
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
+	/* XXX virtualize those bellow? */
+	tcp_delacktime = TCPTV_DELACK;
+	tcp_keepinit = TCPTV_KEEP_INIT;
+	tcp_keepidle = TCPTV_KEEP_IDLE;
+	tcp_keepintvl = TCPTV_KEEPINTVL;
+	tcp_maxpersistidle = TCPTV_KEEP_IDLE;
+	tcp_msl = TCPTV_MSL;
+	tcp_rexmit_min = TCPTV_MIN;
+	if (tcp_rexmit_min < 1)
+		tcp_rexmit_min = 1;
+	tcp_rexmit_slop = TCPTV_CPU_VAR;
+	tcp_finwait2_timeout = TCPTV_FINWAIT2_TIMEOUT;
+	tcp_tcbhashsize = hashsize;
+
 #ifdef INET6
 #define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr))
 #else /* INET6 */
@ -390,23 +413,12 @@ tcp_init(void)
 	if (max_linkhdr + TCP_MINPROTOHDR > MHLEN)
 		panic("tcp_init");
 #undef TCP_MINPROTOHDR
-	/*
-	 * These have to be type stable for the benefit of the timers.
-	 */
-	tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem),
-	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
-	uma_zone_set_max(tcpcb_zone, maxsockets);
-	tcp_tw_init();
-	syncache_init();
-	tcp_hc_init();
-	tcp_reass_init();
+
 	ISN_LOCK_INIT();
 	callout_init(&isn_callout, CALLOUT_MPSAFE);
-	tcp_isn_tick(NULL);
+	callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
 	EVENTHANDLER_REGISTER(shutdown_pre_sync, tcp_fini, NULL,
 		SHUTDOWN_PRI_DEFAULT);
-	sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
-	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
 	EVENTHANDLER_REGISTER(maxsockets_change, tcp_zone_change, NULL,
 		EVENTHANDLER_PRI_ANY);
 }
@ -686,7 +698,7 @@ tcp_newtcpcb(struct inpcb *inp)
 	int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
 #endif /* INET6 */

-	tm = uma_zalloc(tcpcb_zone, M_NOWAIT | M_ZERO);
+	tm = uma_zalloc(V_tcpcb_zone, M_NOWAIT | M_ZERO);
 	if (tm == NULL)
 		return (NULL);
 	tp = &tm->tcb;
@ -846,7 +858,7 @@ tcp_discardcb(struct tcpcb *tp)
 	while ((q = LIST_FIRST(&tp->t_segq)) != NULL) {
 		LIST_REMOVE(q, tqe_q);
 		m_freem(q->tqe_m);
-		uma_zfree(tcp_reass_zone, q);
+		uma_zfree(V_tcp_reass_zone, q);
 		tp->t_segqlen--;
 		V_tcp_reass_qsize--;
 	}
@ -856,7 +868,7 @@ tcp_discardcb(struct tcpcb *tp)
 	tcp_free_sackholes(tp);
 	inp->inp_ppcb = NULL;
 	tp->t_inpcb = NULL;
-	uma_zfree(tcpcb_zone, tp);
+	uma_zfree(V_tcpcb_zone, tp);
 }

 /*
@ -929,7 +941,7 @@ tcp_drain(void)
 			            != NULL) {
 					LIST_REMOVE(te, tqe_q);
 					m_freem(te->tqe_m);
-					uma_zfree(tcp_reass_zone, te);
+					uma_zfree(V_tcp_reass_zone, te);
 					tcpb->t_segqlen--;
 					V_tcp_reass_qsize--;
 				}
@ -1546,8 +1558,8 @@ tcp_isn_tick(void *xtp)
 	VNET_ITERATOR_DECL(vnet_iter);
 	u_int32_t projected_offset;

-	ISN_LOCK();
 	VNET_LIST_RLOCK();
+	ISN_LOCK();
 	VNET_FOREACH(vnet_iter) {
 		CURVNET_SET(vnet_iter); /* XXX appease INVARIANTS */
 		INIT_VNET_INET(curvnet);
@ -1560,9 +1572,9 @@ tcp_isn_tick(void *xtp)
 		V_isn_offset_old = V_isn_offset;
 		CURVNET_RESTORE();
 	}
+	ISN_UNLOCK();
 	VNET_LIST_RUNLOCK();
 	callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
-	ISN_UNLOCK();
 }

 /*
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@ -94,7 +94,6 @@ __FBSDID("$FreeBSD$");

 #include <security/mac/mac_framework.h>

-static uma_zone_t tcptw_zone;
 static int	maxtcptw;

 /*
@ -104,6 +103,7 @@ static int	maxtcptw;
 * tcbinfo lock, which must be held over queue iteration and modification.
 */
 #ifdef VIMAGE_GLOBALS
+static uma_zone_t tcptw_zone;
 static TAILQ_HEAD(, tcptw)	twq_2msl;
 int	nolocaltimewait;
 #endif
@ -142,7 +142,7 @@ sysctl_maxtcptw(SYSCTL_HANDLER_ARGS)
 	if (error == 0 && req->newptr)
 		if (new >= 32) {
 			maxtcptw = new;
-			uma_zone_set_max(tcptw_zone, maxtcptw);
+			uma_zone_set_max(V_tcptw_zone, maxtcptw);
 		}
 	return (error);
 }
@ -160,7 +160,7 @@ tcp_tw_zone_change(void)
 {

 	if (maxtcptw == 0)
-		uma_zone_set_max(tcptw_zone, tcptw_auto_size());
+		uma_zone_set_max(V_tcptw_zone, tcptw_auto_size());
 }

 void
@ -168,13 +168,13 @@ tcp_tw_init(void)
 {
 	INIT_VNET_INET(curvnet);

-	tcptw_zone = uma_zcreate("tcptw", sizeof(struct tcptw),
+	V_tcptw_zone = uma_zcreate("tcptw", sizeof(struct tcptw),
 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
 	TUNABLE_INT_FETCH("net.inet.tcp.maxtcptw", &maxtcptw);
 	if (maxtcptw == 0)
-		uma_zone_set_max(tcptw_zone, tcptw_auto_size());
+		uma_zone_set_max(V_tcptw_zone, tcptw_auto_size());
 	else
-		uma_zone_set_max(tcptw_zone, maxtcptw);
+		uma_zone_set_max(V_tcptw_zone, maxtcptw);
 	TAILQ_INIT(&V_twq_2msl);
 }

@ -204,7 +204,7 @@ tcp_twstart(struct tcpcb *tp)
 		return;
 	}

-	tw = uma_zalloc(tcptw_zone, M_NOWAIT);
+	tw = uma_zalloc(V_tcptw_zone, M_NOWAIT);
 	if (tw == NULL) {
 		tw = tcp_tw_2msl_scan(1);
 		if (tw == NULL) {
@ -477,7 +477,7 @@ tcp_twclose(struct tcptw *tw, int reuse)
 	tw->tw_cred = NULL;
 	if (reuse)
 		return;
-	uma_zfree(tcptw_zone, tw);
+	uma_zfree(V_tcptw_zone, tw);
 }

 int
--- a/sys/netinet/vinet.h
+++ b/sys/netinet/vinet.h
@ -86,6 +86,11 @@ struct vnet_inet {
 	struct	tcp_hostcache _tcp_hostcache;
 	struct  callout _tcp_hc_callout;

+	uma_zone_t _tcp_reass_zone;
+	uma_zone_t _tcpcb_zone;
+	uma_zone_t _tcptw_zone;
+	uma_zone_t _sack_hole_zone;
+
 	struct	tcp_syncache _tcp_syncache;
 	int	_tcp_syncookies;
 	int	_tcp_syncookiesonly;
@ -315,12 +320,15 @@ extern struct vnet_inet vnet_inet_0;
 #define	V_rtq_timeout		VNET_INET(rtq_timeout)
 #define	V_rtq_timer		VNET_INET(rtq_timer)
 #define	V_rtq_toomany		VNET_INET(rtq_toomany)
+#define	V_sack_hole_zone	VNET_INET(sack_hole_zone)
 #define	V_sameprefixcarponly	VNET_INET(sameprefixcarponly)
 #define	V_ss_fltsz		VNET_INET(ss_fltsz)
 #define	V_ss_fltsz_local	VNET_INET(ss_fltsz_local)
 #define	V_subnetsarelocal	VNET_INET(subnetsarelocal)
 #define	V_tcb			VNET_INET(tcb)
 #define	V_tcbinfo		VNET_INET(tcbinfo)
+#define	V_tcpcb_zone		VNET_INET(tcpcb_zone)
+#define	V_tcptw_zone		VNET_INET(tcptw_zone)
 #define	V_tcp_abc_l_var		VNET_INET(tcp_abc_l_var)
 #define	V_tcp_autorcvbuf_inc	VNET_INET(tcp_autorcvbuf_inc)
 #define	V_tcp_autorcvbuf_max	VNET_INET(tcp_autorcvbuf_max)
@ -353,6 +361,7 @@ extern struct vnet_inet vnet_inet_0;
 #define	V_tcp_reass_maxseg	VNET_INET(tcp_reass_maxseg)
 #define	V_tcp_reass_overflows	VNET_INET(tcp_reass_overflows)
 #define	V_tcp_reass_qsize	VNET_INET(tcp_reass_qsize)
+#define	V_tcp_reass_zone	VNET_INET(tcp_reass_zone)
 #define	V_tcp_sack_globalholes	VNET_INET(tcp_sack_globalholes)
 #define	V_tcp_sack_globalmaxholes VNET_INET(tcp_sack_globalmaxholes)
 #define	V_tcp_sack_maxholes	VNET_INET(tcp_sack_maxholes)
--- a/sys/netinet6/frag6.c
+++ b/sys/netinet6/frag6.c
@ -109,14 +109,16 @@ frag6_init(void)
 {
 	INIT_VNET_INET6(curvnet);

+	V_ip6q.ip6q_next = V_ip6q.ip6q_prev = &V_ip6q;
 	V_ip6_maxfragpackets = nmbclusters / 4;
 	V_ip6_maxfrags = nmbclusters / 4;
-	EVENTHANDLER_REGISTER(nmbclusters_change,
-	    frag6_change, NULL, EVENTHANDLER_PRI_ANY);
+
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;

 	IP6Q_LOCK_INIT();
-
-	V_ip6q.ip6q_next = V_ip6q.ip6q_prev = &V_ip6q;
+	EVENTHANDLER_REGISTER(nmbclusters_change,
+	    frag6_change, NULL, EVENTHANDLER_PRI_ANY);
 }

 /*
--- a/sys/netinet6/in6_src.c
+++ b/sys/netinet6/in6_src.c
@ -920,8 +920,6 @@ in6_pcbsetport(struct in6_addr *laddr, struct inpcb *inp, struct ucred *cred)
 void
 addrsel_policy_init(void)
 {
-	ADDRSEL_LOCK_INIT();
-	ADDRSEL_SXLOCK_INIT();
 	INIT_VNET_INET6(curvnet);

 	V_ip6_prefer_tempaddr = 0;
@ -931,6 +929,12 @@ addrsel_policy_init(void)
 	/* initialize the "last resort" policy */
 	bzero(&V_defaultaddrpolicy, sizeof(V_defaultaddrpolicy));
 	V_defaultaddrpolicy.label = ADDR_LABEL_NOTAPP;
+
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
+	ADDRSEL_LOCK_INIT();
+	ADDRSEL_SXLOCK_INIT();
 }

 static struct in6_addrpolicy *
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@ -234,6 +234,17 @@ ip6_init(void)
 					/* 40 1K datagrams */
 	V_dad_init = 0;

+	scope6_init();
+	addrsel_policy_init();
+	nd6_init();
+	frag6_init();
+
+	V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR;
+
+	/* Skip global initialization stuff for non-default instances. */
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
 #ifdef DIAGNOSTIC
 	if (sizeof(struct protosw) != sizeof(struct ip6protosw))
 		panic("sizeof(protosw) != sizeof(ip6protosw)");
@ -265,18 +276,13 @@ ip6_init(void)
 		printf("%s: WARNING: unable to register pfil hook, "
 			"error %d\n", __func__, i);

-	ip6intrq.ifq_maxlen = V_ip6qmaxlen;
+	ip6intrq.ifq_maxlen = V_ip6qmaxlen; /* XXX */
 	mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF);
 	netisr_register(NETISR_IPV6, ip6_input, &ip6intrq, 0);
-	scope6_init();
-	addrsel_policy_init();
-	nd6_init();
-	frag6_init();
-	V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR;
 }

-static void
-ip6_init2(void *dummy)
+static int
+ip6_init2_vnet(const void *unused __unused)
 {
 	INIT_VNET_INET6(curvnet);

@ -290,6 +296,15 @@ ip6_init2(void *dummy)
 		      (V_ip6_temp_preferred_lifetime - V_ip6_desync_factor -
 		       V_ip6_temp_regen_advance) * hz,
 		      in6_tmpaddrtimer, NULL);
+
+	return (0);
+}
+
+static void
+ip6_init2(void *dummy)
+{
+
+	ip6_init2_vnet(NULL);
 }

 /* cheat */
--- a/sys/netinet6/scope6.c
+++ b/sys/netinet6/scope6.c
@ -83,8 +83,12 @@ scope6_init(void)
 #else
 	V_ip6_use_defzone = 0;
 #endif
-	SCOPE6_LOCK_INIT();
 	bzero(&V_sid_default, sizeof(V_sid_default));
+
+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
+	SCOPE6_LOCK_INIT();
 }

 struct scope6_id *
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@ -103,6 +103,8 @@ struct vnet_ipsec vnet_ipsec_0;
 #endif
 #endif

+static int ipsec_iattach(const void *);
+
 #ifdef VIMAGE_GLOBALS
 /* NB: name changed so netstat doesn't use it. */
 struct ipsecstat ipsec4stat;
@ -1758,8 +1760,18 @@ static void
 ipsec_attach(void)
 {

+	ipsec_iattach(NULL);
+}
+
+static int
+ipsec_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
 	SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
 	V_ip4_def_policy.refcnt = 1;			/* NB: disallow free. */
+
+	return (0);
 }
 SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL);

--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@ -7171,12 +7171,6 @@ key_init(void)
 	V_ipsec_esp_auth = 0;
 	V_ipsec_ah_keymin = 128;

-	SPTREE_LOCK_INIT();
-	REGTREE_LOCK_INIT();
-	SAHTREE_LOCK_INIT();
-	ACQ_LOCK_INIT();
-	SPACQ_LOCK_INIT();
-
 	for (i = 0; i < IPSEC_DIR_MAX; i++)
 		LIST_INIT(&V_sptree[i]);

@ -7192,6 +7186,15 @@ key_init(void)
 	V_ip4_def_policy.policy = IPSEC_POLICY_NONE;
 	V_ip4_def_policy.refcnt++;	/*never reclaim this*/

+	if (!IS_DEFAULT_VNET(curvnet))
+		return;
+
+	SPTREE_LOCK_INIT();
+	REGTREE_LOCK_INIT();
+	SAHTREE_LOCK_INIT();
+	ACQ_LOCK_INIT();
+	SPACQ_LOCK_INIT();
+
 #ifndef IPSEC_DEBUG2
 	timeout((void *)key_timehandler, (void *)0, hz);
 #endif /*IPSEC_DEBUG2*/
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@ -73,6 +73,8 @@

 #include <opencrypto/cryptodev.h>

+static int ah_iattach(const void *);
+
 /*
 * Return header size in bytes.  The old protocol did not support
 * the replay counter; the new protocol always includes the counter.
@ -1220,9 +1222,18 @@ static void
 ah_attach(void)
 {

+	xform_register(&ah_xformsw);
+	ah_iattach(NULL);
+}
+
+static int
+ah_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
 	V_ah_enable = 1;	/* control flow of packets with AH */
 	V_ah_cleartos = 1;	/* clear ip_tos when doing AH calc */

-	xform_register(&ah_xformsw);
+	return (0);
 }
 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -90,6 +90,7 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,

 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
+static int esp_iattach(const void *);

 /*
 * NB: this is public for use by the PF_KEY support.
@ -990,9 +991,19 @@ static struct xformsw esp_xformsw = {
 static void
 esp_attach(void)
 {
+
+	xform_register(&esp_xformsw);
+	esp_iattach(NULL);
+}
+
+static int
+esp_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
 #define	MAXIV(xform)					\
 	if (xform.blocksize > V_esp_max_ivlen)		\
-		V_esp_max_ivlen = xform.blocksize		\
+		V_esp_max_ivlen = xform.blocksize	\

 	V_esp_enable = 1;
 	V_esp_max_ivlen = 0;
@ -1005,8 +1016,8 @@ esp_attach(void)
 	MAXIV(enc_xform_skipjack);	/* SADB_X_EALG_SKIPJACK */
 	MAXIV(enc_xform_null);		/* SADB_EALG_NULL */
 	MAXIV(enc_xform_camellia);	/* SADB_X_EALG_CAMELLIACBC */
-
-	xform_register(&esp_xformsw);
 #undef MAXIV
+
+	return (0);
 }
 SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL);
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@ -80,6 +80,7 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS,

 static int ipcomp_input_cb(struct cryptop *crp);
 static int ipcomp_output_cb(struct cryptop *crp);
+static int ipcomp_iattach(const void *);

 struct comp_algo *
 ipcomp_algorithm_lookup(int alg)
@ -600,7 +601,16 @@ static void
 ipcomp_attach(void)
 {

-	V_ipcomp_enable = 0;
 	xform_register(&ipcomp_xformsw);
+	ipcomp_iattach(NULL);
+}
+
+static int
+ipcomp_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
+	V_ipcomp_enable = 0;
+	return (0);
 }
 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@ -697,12 +697,19 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
 	return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
 }

+static int
+ipe4_iattach(const void *unused __unused)
+{
+	INIT_VNET_IPSEC(curvnet);
+
+	V_ipip_allow = 0;
+	return (0);
+}
+
 static void
 ipe4_attach(void)
 {

-	V_ipip_allow = 0;
-
 	xform_register(&ipe4_xformsw);
 	/* attach to encapsulation framework */
 	/* XXX save return cookie for detach on module remove */
@ -712,6 +719,7 @@ ipe4_attach(void)
 	(void) encap_attach_func(AF_INET6, -1,
 		ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
 #endif
+	ipe4_iattach(NULL);
 }
 SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
 #endif	/* IPSEC */
--- a/sys/sys/param.h
+++ b/sys/sys/param.h
@ -57,7 +57,7 @@
 *		is created, otherwise 1.
 */
 #undef __FreeBSD_version
-#define __FreeBSD_version 800074	/* Master, propagated to newvers */
+#define __FreeBSD_version 800075	/* Master, propagated to newvers */

 #ifndef LOCORE
 #include <sys/types.h>
--- a/sys/sys/vimage.h
+++ b/sys/sys/vimage.h
@ -81,6 +81,7 @@ struct vnet_modlink {
 #define VNET_SYMMAP_END		{ NULL, 0 }

 /* Non-VIMAGE null-macros */
+#define	IS_DEFAULT_VNET(arg) 1
 #define	CURVNET_SET(arg)
 #define	CURVNET_SET_QUIET(arg)
 #define	CURVNET_RESTORE()