MFC r339554:
Rework if_ipsec(4) to use epoch(9) instead of rmlock. * use CK_LIST and FNV hash to keep chains of softc; * read access to softc is protected by epoch(); * write access is protected by ipsec_ioctl_sx. Changing of softc fields is allowed only when softc is unlinked from CK_LIST chains. * linking/unlinking of softc is allowed only when ipsec_ioctl_sx is exclusive locked. * the plain LIST of all softc is replaced by hash table that uses ingress address of tunnels as a key. * added support for appearing/disappearing of ingress address handling. Now it is allowed configure non-local ingress IP address, and thus the problem with if_ipsec(4) configuration that happens on boot, when ingress address is not yet configured, is solved. Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D17190
MFC r339555:
Follow the fix in r339532 (by glebius): Fix exiting an epoch(9) we never entered. May happen only with MAC.
MFC r339642:
Remove softc from idhash when interface is destroyed.
MFC r339646:
Add the check that current VNET is ready and access to srchash is allowed. ipsec_srcaddr() callback can be called during VNET teardown, since ingress address checking subsystem isn't VNET specific. And thus callback can make access to already freed memory. To prevent this, use V_ipsec_idhtbl pointer as indicator of VNET readiness. And make epoch_wait() after resetting it to NULL in vnet_ipsec_uninit() to be sure that ipsec_srcaddr() is finished its work. Reported by: kp