Conditionally compile out V_ globals while instantiating the appropriate

container structures, depending on VIMAGE_GLOBALS compile time option.

Make VIMAGE_GLOBALS a new compile-time option, which by default will not
be defined, resulting in instatiations of global variables selected for
V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be
effectively compiled out.  Instantiate new global container structures
to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0,
vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.

Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_
macros resolve either to the original globals, or to fields inside
container structures, i.e. effectively

#ifdef VIMAGE_GLOBALS
#define V_rt_tables rt_tables
#else
#define V_rt_tables vnet_net_0._rt_tables
#endif

Update SYSCTL_V_*() macros to operate either on globals or on fields
inside container structs.

Extend the internal kldsym() lookups with the ability to resolve
selected fields inside the virtualization container structs.  This
applies only to the fields which are explicitly registered for kldsym()
visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently
this is done only in sys/net/if.c.

Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code,
and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in
turn result in proper code being generated depending on VIMAGE_GLOBALS.

De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c
which were prematurely V_irtualized by automated V_ prepending scripts
during earlier merging steps.  PF virtualization will be done
separately, most probably after next PF import.

Convert a few variable initializations at instantiation to
initialization in init functions, most notably in ipfw.  Also convert
TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in
initializer functions.

Discussed at:	devsummit Strassburg
Reviewed by:	bz, julian
Approved by:	julian (mentor)
Obtained from:	//depot/projects/vimage-commit2/...
X-MFC after:	never
Sponsored by:	NLnet Foundation, The FreeBSD Foundation

44 files changed, 436 insertions, 88 deletions

diff --git a/sys/conf/files b/sys/conf/files
index 151a22771b66..d09ead4a46b5 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1953,6 +1953,7 @@ kern/kern_timeout.c		standard
 kern/kern_umtx.c		standard
 kern/kern_uuid.c		standard
 kern/kern_xxx.c			standard
+kern/kern_vimage.c		standard
 kern/link_elf.c			standard
 kern/linker_if.m		standard
 kern/md4c.c			optional netsmb
diff --git a/sys/conf/options b/sys/conf/options
index f7074785fcc9..1f59aafb20b5 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -415,6 +415,7 @@ TCPDEBUG
 TCP_OFFLOAD_DISABLE	opt_inet.h #Disable code to dispatch tcp offloading
 TCP_SIGNATURE		opt_inet.h
 VLAN_ARRAY		opt_vlan.h
+VIMAGE_GLOBALS		opt_global.h
 XBONEHACK
 
 #
diff --git a/sys/contrib/pf/net/pf_subr.c b/sys/contrib/pf/net/pf_subr.c
index 3b680e363720..1ac8b402e6cb 100644
--- a/sys/contrib/pf/net/pf_subr.c
+++ b/sys/contrib/pf/net/pf_subr.c
@@ -124,15 +124,14 @@ static MD5_CTX isn_ctx;
 u_int32_t
 pf_new_isn(struct pf_state *s)
 {
-	INIT_VNET_INET(curvnet);
 	u_int32_t md5_buffer[4];
 	u_int32_t new_isn;
 	struct pf_state_host *src, *dst;
 
 	/* Seed if this is the first use, reseed if requested. */
-	if (V_isn_last_reseed == 0) {
-		read_random(&V_isn_secret, sizeof(V_isn_secret));
-		V_isn_last_reseed = ticks;
+	if (isn_last_reseed == 0) {
+		read_random(&isn_secret, sizeof(isn_secret));
+		isn_last_reseed = ticks;
 	}
 
 	if (s->direction == PF_IN) {
@@ -144,28 +143,28 @@ pf_new_isn(struct pf_state *s)
 	}
 
 	/* Compute the md5 hash and return the ISN. */
-	MD5Init(&V_isn_ctx);
-	MD5Update(&V_isn_ctx, (u_char *) &dst->port, sizeof(u_short));
-	MD5Update(&V_isn_ctx, (u_char *) &src->port, sizeof(u_short));
+	MD5Init(&isn_ctx);
+	MD5Update(&isn_ctx, (u_char *) &dst->port, sizeof(u_short));
+	MD5Update(&isn_ctx, (u_char *) &src->port, sizeof(u_short));
 #ifdef INET6
 	if (s->af == AF_INET6) {
-		MD5Update(&V_isn_ctx, (u_char *) &dst->addr,
+		MD5Update(&isn_ctx, (u_char *) &dst->addr,
 			  sizeof(struct in6_addr));
-		MD5Update(&V_isn_ctx, (u_char *) &src->addr,
+		MD5Update(&isn_ctx, (u_char *) &src->addr,
 			  sizeof(struct in6_addr));
 	} else
 #endif
 	{
-		MD5Update(&V_isn_ctx, (u_char *) &dst->addr,
+		MD5Update(&isn_ctx, (u_char *) &dst->addr,
 			  sizeof(struct in_addr));
-		MD5Update(&V_isn_ctx, (u_char *) &src->addr,
+		MD5Update(&isn_ctx, (u_char *) &src->addr,
 			  sizeof(struct in_addr));
 	}
-	MD5Update(&V_isn_ctx, (u_char *) &V_isn_secret, sizeof(V_isn_secret));
-	MD5Final((u_char *) &md5_buffer, &V_isn_ctx);
+	MD5Update(&isn_ctx, (u_char *) &isn_secret, sizeof(isn_secret));
+	MD5Final((u_char *) &md5_buffer, &isn_ctx);
 	new_isn = (tcp_seq) md5_buffer[0];
-	V_isn_offset += ISN_STATIC_INCREMENT +
+	isn_offset += ISN_STATIC_INCREMENT +
 		(arc4random() & ISN_RANDOM_INCREMENT);
-	new_isn += V_isn_offset;
+	new_isn += isn_offset;
 	return (new_isn);
 }
diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index f657efa9b44f..1683a5a0d1e3 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/vnode.h>
 #include <sys/syscallsubr.h>
 #include <sys/sysctl.h>
+#include <sys/vimage.h>
 
 #include <security/mac/mac_framework.h>
 
@@ -1301,8 +1302,23 @@ kldsym(struct thread *td, struct kldsym_args *uap)
 				break;
 			}
 		}
+#ifndef VIMAGE_GLOBALS
+		/*
+		 * If the symbol is not found in global namespace,
+		 * try to look it up in the current vimage namespace.
+		 */
+		if (lf == NULL) {
+			CURVNET_SET(TD_TO_VNET(td));
+			error = vi_symlookup(&lookup, symstr);
+			CURVNET_RESTORE();
+			if (error == 0)
+				error = copyout(&lookup, uap->data,
+						sizeof(lookup));
+		}
+#else
 		if (lf == NULL)
 			error = ENOENT;
+#endif
 	}
 	KLD_UNLOCK();
 out:
diff --git a/sys/kern/kern_vimage.c b/sys/kern/kern_vimage.c
new file mode 100644
index 000000000000..0cba35af9d19
--- /dev/null
+++ b/sys/kern/kern_vimage.c
@@ -0,0 +1,98 @@
+/*-
+ * Copyright (c) 2004-2008 University of Zagreb
+ * Copyright (c) 2006-2008 FreeBSD Foundation
+ *
+ * This software was developed by the University of Zagreb and the
+ * FreeBSD Foundation under sponsorship by the Stichting NLnet and the
+ * FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/kernel.h>
+#include <sys/linker.h>
+#include <sys/malloc.h>
+#include <sys/systm.h>
+#include <sys/vimage.h>
+
+#ifndef VIMAGE_GLOBALS
+
+MALLOC_DEFINE(M_VIMAGE, "vimage", "vimage resource container");
+
+static TAILQ_HEAD(vnet_modlink_head, vnet_modlink) vnet_modlink_head;
+
+void
+vnet_mod_register(const struct vnet_modinfo *vmi)
+{
+	struct vnet_modlink *vml, *vml_iter;
+	
+	/* Do not register the same module instance more than once. */
+	TAILQ_FOREACH(vml_iter, &vnet_modlink_head, vml_mod_le)
+		if (vml_iter->vml_modinfo == vmi)
+			panic("%s: %s", __func__, vmi->vmi_name);
+	vml = malloc(sizeof(struct vnet_modlink), M_VIMAGE, M_NOWAIT);
+	vml->vml_modinfo = vmi;
+	TAILQ_INSERT_TAIL(&vnet_modlink_head, vml, vml_mod_le);
+}
+
+/*
+ * vi_symlookup() attempts to resolve name to address queries for
+ * variables which have been moved from global namespace to virtualization
+ * container structures, but are still directly accessed from legacy
+ * userspace processes via kldsym(2) and kmem(4) interfaces.
+ */
+int
+vi_symlookup(struct kld_sym_lookup *lookup, char *symstr)
+{
+	struct vnet_modlink *vml;
+	struct vnet_symmap *mapentry;
+
+	TAILQ_FOREACH(vml, &vnet_modlink_head, vml_mod_le) {
+		if (vml->vml_modinfo->vmi_symmap == NULL)
+			continue;
+		for (mapentry = vml->vml_modinfo->vmi_symmap;
+		     mapentry->name != NULL; mapentry++) {
+			if (strcmp(symstr, mapentry->name) == 0) {
+				lookup->symvalue = (u_long) mapentry->base;
+				lookup->symsize = mapentry->size;
+				return (0);
+			}
+		}
+	}
+	return (ENOENT);
+}
+
+static void
+vi_init(void *unused)
+{
+
+	TAILQ_INIT(&vnet_modlink_head);
+}
+
+SYSINIT(vimage, SI_SUB_VIMAGE, SI_ORDER_FIRST, vi_init, NULL);
+
+#endif /* !VIMAGE_GLOBALS */
diff --git a/sys/net/if.c b/sys/net/if.c
index f551c6066cd3..87b03285341f 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -90,6 +90,12 @@
 
 #include <security/mac/mac_framework.h>
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_net vnet_net_0;
+#endif
+#endif
+
 SYSCTL_NODE(_net, PF_LINK, link, CTLFLAG_RW, 0, "Link layers");
 SYSCTL_NODE(_net_link, 0, generic, CTLFLAG_RW, 0, "Generic link-management");
 
@@ -161,6 +167,19 @@ static int	filt_netdev(struct knote *kn, long hint);
 static struct filterops netdev_filtops =
     { 1, NULL, filt_netdetach, filt_netdev };
 
+#ifndef VIMAGE_GLOBALS
+static struct vnet_symmap vnet_net_symmap[] = {
+        VNET_SYMMAP(net, ifnet),
+        VNET_SYMMAP(net, rt_tables),
+        VNET_SYMMAP(net, rtstat),
+        VNET_SYMMAP(net, rttrash),
+        VNET_SYMMAP_END
+};
+
+VNET_MOD_DECLARE(NET, net, vnet_net_iattach, vnet_net_idetach,
+    NONE, vnet_net_symmap)
+#endif
+
 /*
  * System initialization
  */
@@ -361,6 +380,10 @@ if_init(void *dummy __unused)
 {
 	INIT_VNET_NET(curvnet);
 
+#ifndef VIMAGE_GLOBALS
+	vnet_mod_register(&vnet_net_modinfo);
+#endif
+
 	V_if_index = 0;
 	V_ifindex_table = NULL;
 	V_if_indexlim = 8;
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 8f07e6c22506..6d7aed0a079a 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -100,6 +100,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/proc.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
+#include <sys/rwlock.h>
 #include <sys/vimage.h>
 
 #include <net/bpf.h>
@@ -3041,7 +3042,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir)
 	}
 
 	if (IPFW_LOADED && pfil_ipfw != 0 && dir == PFIL_OUT && ifp != NULL) {
-		INIT_VNET_IPFW(curvnet);
+		INIT_VNET_INET(curvnet);
 
 		error = -1;
 		args.rule = ip_dn_claim_rule(*mp);
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index d26609cc1dc7..4524fdd5e44d 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -42,10 +42,12 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
 #include <sys/mbuf.h>
 #include <sys/random.h>
+#include <sys/rwlock.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
 #include <sys/sysctl.h>
@@ -71,6 +73,7 @@
 #include <netinet/if_ether.h>
 #include <netinet/ip_fw.h>
 #include <netinet/ip_dummynet.h>
+#include <netinet/vinet.h>
 #endif
 #ifdef INET6
 #include <netinet6/nd6.h>
@@ -426,7 +429,7 @@ int
 ether_ipfw_chk(struct mbuf **m0, struct ifnet *dst,
 	struct ip_fw **rule, int shared)
 {
-	INIT_VNET_IPFW(dst->if_vnet);
+	INIT_VNET_INET(dst->if_vnet);
 	struct ether_header *eh;
 	struct ether_header save_eh;
 	struct mbuf *m;
diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c
index 57bfaabbe6aa..be7fa9f8e098 100644
--- a/sys/net/if_gif.c
+++ b/sys/net/if_gif.c
@@ -95,6 +95,12 @@
 static struct mtx gif_mtx;
 static MALLOC_DEFINE(M_GIF, "gif", "Generic Tunnel Interface");
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_gif vnet_gif_0;
+#endif
+#endif
+
 #ifdef VIMAGE_GLOBALS
 static LIST_HEAD(, gif_softc) gif_softc_list;
 static int max_gif_nesting;
diff --git a/sys/net/if_gif.h b/sys/net/if_gif.h
index c2fcc8cbdb99..2ba7bd399a1a 100644
--- a/sys/net/if_gif.h
+++ b/sys/net/if_gif.h
@@ -113,7 +113,7 @@ int gif_encapcheck(const struct mbuf *, int, int, void *);
 /*
  * Virtualization support
  */
-#ifdef VIMAGE
+
 struct vnet_gif {
 	LIST_HEAD(, gif_softc) _gif_softc_list;
 	int	_max_gif_nesting;
@@ -121,6 +121,11 @@ struct vnet_gif {
 	int	_ip_gif_ttl;
 	int	_ip6_gif_hlim;
 };
+
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_gif vnet_gif_0;
+#endif
 #endif
 
 #define	INIT_VNET_GIF(vnet) \
diff --git a/sys/net/vnet.h b/sys/net/vnet.h
index 531d7149a4eb..f09fc6e1df9b 100644
--- a/sys/net/vnet.h
+++ b/sys/net/vnet.h
@@ -37,9 +37,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
-#include <sys/proc.h>
 #include <sys/protosw.h>
-#include <sys/socket.h>
 
 #include <net/if.h>
 #include <net/if_var.h>
@@ -67,6 +65,12 @@ struct vnet_net {
 	int	_ether_ipfw;
 };
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_net vnet_net_0;
+#endif
+#endif
+
 /*
  * Symbol translation macros
  */
diff --git a/sys/netgraph/netgraph.h b/sys/netgraph/netgraph.h
index 0def6414c5b6..4072f76e884d 100644
--- a/sys/netgraph/netgraph.h
+++ b/sys/netgraph/netgraph.h
@@ -1205,6 +1205,12 @@ struct vnet_netgraph {
 	struct unrhdr		*_ng_wormhole_unit;
 };
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_netgraph vnet_netgraph_0;
+#endif
+#endif
+
 /* Symbol translation macros */
 #define	V_nextID		VNET_NETGRAPH(nextID)
 #define	V_ng_ID_hash		VNET_NETGRAPH(ng_ID_hash)
diff --git a/sys/netgraph/ng_base.c b/sys/netgraph/ng_base.c
index 24ed885fe080..0406da1ba572 100644
--- a/sys/netgraph/ng_base.c
+++ b/sys/netgraph/ng_base.c
@@ -72,6 +72,12 @@
 
 MODULE_VERSION(netgraph, NG_ABI_VERSION);
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_netgraph vnet_netgraph_0;
+#endif
+#endif
+
 /* Mutex to protect topology events. */
 static struct mtx	ng_topo_mtx;
 
@@ -167,7 +173,9 @@ static struct mtx	ng_typelist_mtx;
 
 /* Hash related definitions */
 /* XXX Don't need to initialise them because it's a LIST */
+#ifdef VIMAGE_GLOBALS
 static LIST_HEAD(, ng_node) ng_ID_hash[NG_ID_HASH_SIZE];
+#endif
 static struct mtx	ng_idhash_mtx;
 /* Method to find a node.. used twice so do it here */
 #define NG_IDHASH_FN(ID) ((ID) % (NG_ID_HASH_SIZE))
@@ -183,7 +191,9 @@ static struct mtx	ng_idhash_mtx;
 		}							\
 	} while (0)
 
+#ifdef VIMAGE_GLOBALS
 static LIST_HEAD(, ng_node) ng_name_hash[NG_NAME_HASH_SIZE];
+#endif
 static struct mtx	ng_namehash_mtx;
 #define NG_NAMEHASH(NAME, HASH)				\
 	do {						\
@@ -348,7 +358,9 @@ ng_alloc_node(void)
 #define TRAP_ERROR()
 #endif
 
-static	ng_ID_t nextID = 1;
+#ifdef VIMAGE_GLOBALS
+static	ng_ID_t nextID;
+#endif
 
 #ifdef INVARIANTS
 #define CHECK_DATA_MBUF(m)	do {					\
@@ -3063,6 +3075,7 @@ ngb_mod_event(module_t mod, int event, void *data)
 	switch (event) {
 	case MOD_LOAD:
 		/* Initialize everything. */
+		V_nextID = 1;
 		NG_WORKLIST_LOCK_INIT();
 		mtx_init(&ng_typelist_mtx, "netgraph types mutex", NULL,
 		    MTX_DEF);
diff --git a/sys/netgraph/ng_bridge.c b/sys/netgraph/ng_bridge.c
index c033a556b158..d998f1eb70cd 100644
--- a/sys/netgraph/ng_bridge.c
+++ b/sys/netgraph/ng_bridge.c
@@ -61,9 +61,11 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/errno.h>
+#include <sys/rwlock.h>
 #include <sys/syslog.h>
 #include <sys/socket.h>
 #include <sys/ctype.h>
diff --git a/sys/netgraph/ng_eiface.c b/sys/netgraph/ng_eiface.c
index 3d92e5f45b79..542eaadb7a11 100644
--- a/sys/netgraph/ng_eiface.c
+++ b/sys/netgraph/ng_eiface.c
@@ -113,7 +113,9 @@ static struct ng_type typestruct = {
 };
 NETGRAPH_INIT(eiface, &typestruct);
 
+#ifdef VIMAGE_GLOBALS
 static struct unrhdr	*ng_eiface_unit;
+#endif
 
 /************************************************************************
 			INTERFACE STUFF
diff --git a/sys/netgraph/ng_iface.c b/sys/netgraph/ng_iface.c
index 35fc1cc83301..2295004336db 100644
--- a/sys/netgraph/ng_iface.c
+++ b/sys/netgraph/ng_iface.c
@@ -208,7 +208,9 @@ static struct ng_type typestruct = {
 };
 NETGRAPH_INIT(iface, &typestruct);
 
+#ifdef VIMAGE_GLOBALS
 static struct unrhdr	*ng_iface_unit;
+#endif
 
 /************************************************************************
 			HELPER STUFF
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c
index 91af21528305..cce623b8254b 100644
--- a/sys/netgraph/ng_ipfw.c
+++ b/sys/netgraph/ng_ipfw.c
@@ -29,10 +29,12 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
 #include <sys/mbuf.h>
 #include <sys/malloc.h>
 #include <sys/ctype.h>
 #include <sys/errno.h>
+#include <sys/rwlock.h>
 #include <sys/socket.h>
 #include <sys/syslog.h>
 
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index 8af52f286dac..a93f1f28a042 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/kernel.h>
 #include <sys/socket.h>
 #include <sys/domain.h>
+#include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/queue.h>
 #include <sys/sysctl.h>
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index dc627a8df82d..d6eb16f833fe 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
+#include <sys/rwlock.h>
 #include <sys/signalvar.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -167,7 +168,7 @@ div_init(void)
 	V_divcbinfo.ipi_zone = uma_zcreate("divcb", sizeof(struct inpcb),
 	    NULL, NULL, div_inpcb_init, div_inpcb_fini, UMA_ALIGN_PTR,
 	    UMA_ZONE_NOFREE);
-	uma_zone_set_max(divcbinfo.ipi_zone, maxsockets);
+	uma_zone_set_max(V_divcbinfo.ipi_zone, maxsockets);
 	EVENTHANDLER_REGISTER(maxsockets_change, div_zone_change,
 		NULL, EVENTHANDLER_PRI_ANY);
 }
diff --git a/sys/netinet/ip_dummynet.c b/sys/netinet/ip_dummynet.c
index a7c0a31c0107..15595b863adf 100644
--- a/sys/netinet/ip_dummynet.c
+++ b/sys/netinet/ip_dummynet.c
@@ -62,9 +62,11 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
 #include <sys/module.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
+#include <sys/rwlock.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/time.h>
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index a0123ada255d..6e7db9900269 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -650,8 +650,6 @@ typedef	int ip_fw_chk_t(struct ip_fw_args *args);
 extern	ip_fw_chk_t	*ip_fw_chk_ptr;
 #define	IPFW_LOADED	(ip_fw_chk_ptr != NULL)
 
-#ifdef IPFW_INTERNAL
-
 struct ip_fw_chain {
 	struct ip_fw	*rules;		/* list of rules */
 	struct ip_fw	*reap;		/* list of rules to reap */
@@ -659,6 +657,9 @@ struct ip_fw_chain {
 	struct radix_node_head *tables[IPFW_TABLES_MAX];
 	struct rwlock	rwmtx;
 };
+
+#ifdef IPFW_INTERNAL
+
 #define	IPFW_LOCK_INIT(_chain) \
 	rw_init(&(_chain)->rwmtx, "IPFW static rules")
 #define	IPFW_LOCK_DESTROY(_chain)	rw_destroy(&(_chain)->rwmtx)
@@ -684,9 +685,7 @@ typedef int ipfw_nat_cfg_t(struct sockopt *);
 /*
  * Stack virtualization support.
  */
-#ifdef VIMAGE
 struct vnet_ipfw {
-	int	_fw_one_pass;
 	int	_fw_enable;
 	int	_fw6_enable;
 	u_int32_t _set_disable;
@@ -716,6 +715,11 @@ struct vnet_ipfw {
 	struct callout _ipfw_timeout;
 	eventhandler_tag _ifaddr_event_tag;
 };
+
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_ipfw vnet_ipfw_0;
+#endif
 #endif
 
 /*
@@ -726,7 +730,6 @@ struct vnet_ipfw {
  
 #define	VNET_IPFW(sym)		VSYM(vnet_ipfw, sym)
  
-#define	V_fw_one_pass		VNET_IPFW(fw_one_pass)
 #define	V_fw_enable		VNET_IPFW(fw_enable)
 #define	V_fw6_enable		VNET_IPFW(fw6_enable)
 #define	V_set_disable		VNET_IPFW(set_disable)
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index f9696cc232b9..61c76cfd9431 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -110,6 +110,12 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_ipfw vnet_ipfw_0;
+#endif
+#endif
+
 /*
  * set_disable contains one bit per set value (0..31).
  * If the bit is set, all rules with the corresponding set
@@ -118,12 +124,13 @@ __FBSDID("$FreeBSD$");
  * and CANNOT be disabled.
  * Rules in set RESVD_SET can only be deleted explicitly.
  */
+#ifdef VIMAGE_GLOBALS
 static u_int32_t set_disable;
-
 static int fw_verbose;
+static struct callout ipfw_timeout;
+#endif
 static int verbose_limit;
 
-static struct callout ipfw_timeout;
 static uma_zone_t ipfw_dyn_rule_zone;
 
 /*
@@ -159,8 +166,10 @@ struct table_entry {
 	u_int32_t		value;
 };
 
-static int fw_debug = 1;
-static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
+#ifdef VIMAGE_GLOBALS
+static int fw_debug;
+static int autoinc_step;
+#endif
 
 extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
 
@@ -171,7 +180,7 @@ SYSCTL_V_PROC(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, enable,
     ipfw_chg_hook, "I", "Enable ipfw");
 SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, autoinc_step,
     CTLFLAG_RW, autoinc_step, 0, "Rule number autincrement step");
-SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, one_pass,
+SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip_fw, OID_AUTO, one_pass,
     CTLFLAG_RW | CTLFLAG_SECURE3, fw_one_pass, 0,
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
@@ -222,9 +231,11 @@ SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, tables_max, CTLFLAG_RD,
  * obey the 'randomized match', and we do not do multiple
  * passes through the firewall. XXX check the latter!!!
  */
-static ipfw_dyn_rule **ipfw_dyn_v = NULL;
-static u_int32_t dyn_buckets = 256; /* must be power of 2 */
-static u_int32_t curr_dyn_buckets = 256; /* must be power of 2 */
+#ifdef VIMAGE_GLOBALS
+static ipfw_dyn_rule **ipfw_dyn_v;
+static u_int32_t dyn_buckets;
+static u_int32_t curr_dyn_buckets;
+#endif
 
 static struct mtx ipfw_dyn_mtx;		/* mutex guarding dynamic rules */
 #define	IPFW_DYN_LOCK_INIT() \
@@ -237,12 +248,13 @@ static struct mtx ipfw_dyn_mtx;		/* mutex guarding dynamic rules */
 /*
  * Timeouts for various events in handing dynamic rules.
  */
-static u_int32_t dyn_ack_lifetime = 300;
-static u_int32_t dyn_syn_lifetime = 20;
-static u_int32_t dyn_fin_lifetime = 1;
-static u_int32_t dyn_rst_lifetime = 1;
-static u_int32_t dyn_udp_lifetime = 10;
-static u_int32_t dyn_short_lifetime = 5;
+#ifdef VIMAGE_GLOBALS
+static u_int32_t dyn_ack_lifetime;
+static u_int32_t dyn_syn_lifetime;
+static u_int32_t dyn_fin_lifetime;
+static u_int32_t dyn_rst_lifetime;
+static u_int32_t dyn_udp_lifetime;
+static u_int32_t dyn_short_lifetime;
 
 /*
  * Keepalives are sent if dyn_keepalive is set. They are sent every
@@ -252,14 +264,15 @@ static u_int32_t dyn_short_lifetime = 5;
  * than dyn_keepalive_period.
  */
 
-static u_int32_t dyn_keepalive_interval = 20;
-static u_int32_t dyn_keepalive_period = 5;
-static u_int32_t dyn_keepalive = 1;	/* do send keepalives */
+static u_int32_t dyn_keepalive_interval;
+static u_int32_t dyn_keepalive_period;
+static u_int32_t dyn_keepalive;
 
 static u_int32_t static_count;	/* # of static rules */
 static u_int32_t static_len;	/* size in bytes of static rules */
-static u_int32_t dyn_count;		/* # of dynamic rules */
-static u_int32_t dyn_max = 4096;	/* max # of dynamic rules */
+static u_int32_t dyn_count;	/* # of dynamic rules */
+static u_int32_t dyn_max;	/* max # of dynamic rules */
+#endif /* VIMAGE_GLOBALS */
 
 SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_buckets,
     CTLFLAG_RW, dyn_buckets, 0, "Number of dyn. buckets");
@@ -299,8 +312,9 @@ static struct sysctl_oid *ip6_fw_sysctl_tree;
 #endif /* INET6 */
 #endif /* SYSCTL_NODE */
 
-static int fw_deny_unknown_exthdrs = 1;
-
+#ifdef VIMAGE_GLOBALS
+static int fw_deny_unknown_exthdrs;
+#endif
 
 /*
  * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
@@ -748,7 +762,9 @@ send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6)
 
 #endif /* INET6 */
 
+#ifdef VIMAGE_GLOBALS
 static u_int64_t norule_counter;	/* counter for ipfw_log(NULL...) */
+#endif
 
 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
 #define SNP(buf) buf, sizeof(buf)
@@ -4510,6 +4526,28 @@ ipfw_init(void)
 	struct ip_fw default_rule;
 	int error;
 
+	V_fw_debug = 1;
+	V_autoinc_step = 100;	/* bounded to 1..1000 in add_rule() */
+
+	V_ipfw_dyn_v = NULL;
+	V_dyn_buckets = 256;	/* must be power of 2 */
+	V_curr_dyn_buckets = 256; /* must be power of 2 */
+
+	V_dyn_ack_lifetime = 300;
+	V_dyn_syn_lifetime = 20;
+	V_dyn_fin_lifetime = 1;
+	V_dyn_rst_lifetime = 1;
+	V_dyn_udp_lifetime = 10;
+	V_dyn_short_lifetime = 5;
+
+	V_dyn_keepalive_interval = 20;
+	V_dyn_keepalive_period = 5;
+	V_dyn_keepalive = 1;	/* do send keepalives */
+
+	V_dyn_max = 4096;	/* max # of dynamic rules */
+
+	V_fw_deny_unknown_exthdrs = 1;
+
 #ifdef INET6
 	/* Setup IPv6 fw sysctl tree. */
 	sysctl_ctx_init(&ip6_fw_sysctl_ctx);
diff --git a/sys/netinet/ip_fw_nat.c b/sys/netinet/ip_fw_nat.c
index 6b8369cd8223..d770d5c248cb 100644
--- a/sys/netinet/ip_fw_nat.c
+++ b/sys/netinet/ip_fw_nat.c
@@ -71,7 +71,9 @@ MALLOC_DECLARE(M_IPFW);
 
 extern struct ip_fw_chain layer3_chain;
 
+#ifdef VIMAGE_GLOBALS
 static eventhandler_tag ifaddr_event_tag;
+#endif
 
 extern ipfw_nat_t *ipfw_nat_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_cfg_ptr;
diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c
index 3199ce84ac46..246fdefca64a 100644
--- a/sys/netinet/ip_fw_pfil.c
+++ b/sys/netinet/ip_fw_pfil.c
@@ -43,6 +43,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/mbuf.h>
 #include <sys/module.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/rwlock.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 35ebf86adac8..c99c53efee33 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -49,6 +49,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/rwlock.h>
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
 #include <sys/vimage.h>
@@ -91,6 +93,12 @@ __FBSDID("$FreeBSD$");
 CTASSERT(sizeof(struct ip) == 20);
 #endif
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_inet vnet_inet_0;
+#endif
+#endif
+
 #ifdef VIMAGE_GLOBALS
 static int	ipsendredirects;
 static int	ip_checkinterface;
@@ -170,7 +178,9 @@ SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RW,
     ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
 
+#ifdef VIMAGE_GLOBALS
 static uma_zone_t ipq_zone;
+#endif
 static struct mtx ipqlock;
 
 #define	IPQ_LOCK()	mtx_lock(&ipqlock)
@@ -207,7 +217,9 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
  */
 ip_fw_chk_t *ip_fw_chk_ptr = NULL;
 ip_dn_io_t *ip_dn_io_ptr = NULL;
-int fw_one_pass = 1;
+#ifdef VIMAGE_GLOBALS
+int fw_one_pass;
+#endif
 
 static void	ip_freef(struct ipqhead *, struct ipq *);
 
@@ -246,6 +258,8 @@ ip_init(void)
 	V_ipport_randomtime = 45;	/* user controlled via sysctl */
 	V_ipport_stoprandom = 0;	/* toggled by ipport_tick */
 
+	V_fw_one_pass = 1;
+
 #ifdef NOTYET
 	/* XXX global static but not instantiated in this file */
 	V_ipfastforward_active = 0;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index a40dd1d182f6..03cf56fc9a80 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -793,7 +793,6 @@ done:
 void
 in_delayed_cksum(struct mbuf *m)
 {
-	INIT_VNET_INET(curvnet);
 	struct ip *ip;
 	u_short csum, offset;
 
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index e23fe93379c0..a4e73db48456 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -177,6 +177,7 @@ struct sockopt;
 
 extern struct	ipstat	ipstat;
 extern u_short	ip_id;			/* ip packet ctr, for ids */
+extern int	ip_do_randomid;
 extern int	ip_defttl;		/* default IP ttl */
 extern int	ipforwarding;		/* ip forwarding */
 #ifdef IPSTEALTH
diff --git a/sys/netinet/libalias/alias_db.c b/sys/netinet/libalias/alias_db.c
index 82ff13800c64..93b226e57a81 100644
--- a/sys/netinet/libalias/alias_db.c
+++ b/sys/netinet/libalias/alias_db.c
@@ -146,7 +146,9 @@ __FBSDID("$FreeBSD$");
 #include <machine/stdarg.h>
 #include <sys/param.h>
 #include <sys/kernel.h>
+#include <sys/lock.h>
 #include <sys/module.h>
+#include <sys/rwlock.h>
 #include <sys/syslog.h>
 #else
 #include <stdarg.h>
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 787194937fc4..9b5a3f32e722 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
+#include <sys/rwlock.h>
 #include <sys/signalvar.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
diff --git a/sys/netinet/sctp_os_bsd.h b/sys/netinet/sctp_os_bsd.h
index ff9d534e967a..d0e7a1883c40 100644
--- a/sys/netinet/sctp_os_bsd.h
+++ b/sys/netinet/sctp_os_bsd.h
@@ -68,6 +68,7 @@ __FBSDID("$FreeBSD$");
 #include <net/if_types.h>
 #include <net/if_var.h>
 #include <net/route.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -96,6 +97,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/ip6protosw.h>
 #include <netinet6/nd6.h>
 #include <netinet6/scope6_var.h>
+#include <netinet6/vinet6.h>
 #endif				/* INET6 */
 
 
@@ -152,13 +154,8 @@ MALLOC_DECLARE(SCTP_M_SOCKOPT);
 #define MOD_IPSEC ipsec
 
 /* then define the macro(s) that hook into the vimage macros */
-#if defined(__FreeBSD__) && __FreeBSD_version >= 800044 && defined(VIMAGE)
-#if 0
-#define VSYMNAME(__MODULE) vnet_ ## __MODULE
-#define MODULE_GLOBAL(__MODULE, __SYMBOL) VSYM(VSYMNAME(__MODULE), __SYMBOL)
-#else
+#if defined(__FreeBSD__) && __FreeBSD_version >= 800056
 #define MODULE_GLOBAL(__MODULE, __SYMBOL) V_ ## __SYMBOL
-#endif
 #else
 #define MODULE_GLOBAL(__MODULE, __SYMBOL) (__SYMBOL)
 #endif
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index d300382356c6..5f05dcdaecb9 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -59,11 +59,11 @@ SCTP6_ARE_ADDR_EQUAL(struct sockaddr_in6 *a, struct sockaddr_in6 *b)
 	struct sockaddr_in6 tmp_a, tmp_b;
 
 	memcpy(&tmp_a, a, sizeof(struct sockaddr_in6));
-	if (sa6_embedscope(&tmp_a, MODULE_GLOBAL(MOD_INET6, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone))) != 0) {
+	if (sa6_embedscope(&tmp_a, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone)) != 0) {
 		return 0;
 	}
 	memcpy(&tmp_b, b, sizeof(struct sockaddr_in6));
-	if (sa6_embedscope(&tmp_b, MODULE_GLOBAL(MOD_INET6, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone))) != 0) {
+	if (sa6_embedscope(&tmp_b, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone)) != 0) {
 		return 0;
 	}
 	return (IN6_ARE_ADDR_EQUAL(&tmp_a.sin6_addr, &tmp_b.sin6_addr));
@@ -2008,7 +2008,7 @@ sctp_findassociation_addr(struct mbuf *m, int iphlen, int offset,
 			/* Get the scopes in properly to the sin6 addr's */
 			/* we probably don't need these operations */
 			(void)sa6_recoverscope(from6);
-			sa6_embedscope(from6, MODULE_GLOBAL(MOD_INET6, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone)));
+			sa6_embedscope(from6, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone));
 			break;
 		}
 #endif
@@ -2049,7 +2049,7 @@ sctp_findassociation_addr(struct mbuf *m, int iphlen, int offset,
 			/* Get the scopes in properly to the sin6 addr's */
 			/* we probably don't need these operations */
 			(void)sa6_recoverscope(to6);
-			sa6_embedscope(to6, MODULE_GLOBAL(MOD_INET6, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone)));
+			sa6_embedscope(to6, MODULE_GLOBAL(MOD_INET6, ip6_use_defzone));
 			break;
 		}
 #endif
diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index b52b5b3a7fe1..4ca10af849ed 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -135,7 +135,6 @@ int tcp_sack_globalholes;
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, sack, CTLFLAG_RW, 0, "TCP SACK");
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, enable,
     CTLFLAG_RW, tcp_do_sack, 0, "Enable/Disable TCP SACK support");
-TUNABLE_INT("net.inet.tcp.sack.enable", &tcp_do_sack);
 
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, maxholes,
     CTLFLAG_RW, tcp_sack_maxholes, 0, 
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 639c42f6c087..bc136b26e1cf 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -203,7 +203,7 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0,
     "Enable tcp_drain routine for extra help when low on mbufs");
 
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, pcbcount,
-    CTLFLAG_RD, V_tcbinfo.ipi_count, 0, "Number of active PCBs");
+    CTLFLAG_RD, tcbinfo.ipi_count, 0, "Number of active PCBs");
 
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, icmp_may_rst,
     CTLFLAG_RW, icmp_may_rst, 0,
@@ -359,6 +359,8 @@ tcp_init(void)
 	V_tcp_inflight_rttthresh = TCPTV_INFLIGHT_RTTTHRESH;
 	tcp_finwait2_timeout = TCPTV_FINWAIT2_TIMEOUT;
 
+	TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
+
 	INP_INFO_LOCK_INIT(&V_tcbinfo, "tcp");
 	LIST_INIT(&V_tcb);
 	V_tcbinfo.ipi_listhead = &V_tcb;
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 53e9626168ca..e4022971b9e6 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1198,7 +1198,7 @@ udp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 	sin = (struct sockaddr_in *)nam;
 	if (prison_remote_ip4(td->td_ucred, &sin->sin_addr) != 0) {
 		INP_WUNLOCK(inp);
-		INP_INFO_WUNLOCK(&udbinfo);
+		INP_INFO_WUNLOCK(&V_udbinfo);
 		return (EAFNOSUPPORT);
 	}
 	error = in_pcbconnect(inp, nam, td->td_ucred);
diff --git a/sys/netinet/vinet.h b/sys/netinet/vinet.h
index 8a8babadcfc7..65ccfa452e56 100644
--- a/sys/netinet/vinet.h
+++ b/sys/netinet/vinet.h
@@ -194,8 +194,16 @@ struct vnet_inet {
 	int	_icmp_rfi;
 	int	_icmp_quotelen;
 	int	_icmpbmcastecho;
+
+	int	_fw_one_pass;
 };
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_inet vnet_inet_0;
+#endif
+#endif
+
 /*
  * Symbol translation macros
  */
@@ -212,6 +220,7 @@ struct vnet_inet {
 #define	V_divcbinfo		VNET_INET(divcbinfo)
 #define	V_drop_redirect		VNET_INET(drop_redirect)
 #define	V_drop_synfin		VNET_INET(drop_synfin)
+#define	V_fw_one_pass		VNET_INET(fw_one_pass)
 #define	V_icmp_may_rst		VNET_INET(icmp_may_rst)
 #define	V_icmp_quotelen		VNET_INET(icmp_quotelen)
 #define	V_icmp_rfi		VNET_INET(icmp_rfi)
@@ -330,16 +339,6 @@ struct vnet_inet {
 #define	V_udpstat		VNET_INET(udpstat)
 #define	V_useloopback		VNET_INET(useloopback)
 
-static __inline uint16_t ip_newid(void);
-extern int ip_do_randomid;
-
-static __inline uint16_t
-ip_newid(void)
-{
-        if (V_ip_do_randomid)
-                return ip_randomid();
-
-        return htons(V_ip_id++);
-}
+#define ip_newid() ((V_ip_do_randomid != 0) ? ip_randomid() : htons(V_ip_id++))
 
 #endif /* !_NETINET_VINET_H_ */
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index 112cda21b904..380ee5508576 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -74,6 +74,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
+#include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/kernel.h>
 #include <sys/domain.h>
@@ -518,9 +519,6 @@ SYSCTL_V_OID(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_TEMPVLTIME, tempvltime,
    	sysctl_ip6_tempvltime, "I", "");
 SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_V6ONLY,
 	v6only,	CTLFLAG_RW,	ip6_v6only,			0, "");
-#ifndef VIMAGE
-TUNABLE_INT("net.inet6.ip6.auto_linklocal", &ip6_auto_linklocal);
-#endif
 SYSCTL_V_INT(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_AUTO_LINKLOCAL,
 	auto_linklocal, CTLFLAG_RW, ip6_auto_linklocal,	0, "");
 SYSCTL_V_STRUCT(V_NET, vnet_inet6, _net_inet6_ip6, IPV6CTL_RIP6STATS,
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index fb42c5e73103..7edcaa396120 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -120,6 +120,12 @@ extern struct domain inet6domain;
 u_char ip6_protox[IPPROTO_MAX];
 static struct ifqueue ip6intrq;
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_inet6 vnet_inet6_0;
+#endif
+#endif
+
 #ifdef VIMAGE_GLOBALS
 static int ip6qmaxlen;
 struct in6_ifaddr *in6_ifaddr;
@@ -172,6 +178,8 @@ ip6_init(void)
 #else
 	V_ip6_auto_linklocal = 1;	/* enable by default */
 #endif
+	TUNABLE_INT_FETCH("net.inet6.ip6.auto_linklocal",
+	    &V_ip6_auto_linklocal);
 
 #ifndef IPV6FORWARDING
 #ifdef GATEWAY6
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 8f517a5729cc..18e81c305f48 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -166,10 +166,10 @@ nd6_init(void)
 	V_llinfo_nd6.ln_prev = &V_llinfo_nd6;
 	LIST_INIT(&V_nd_prefix);
 
-	ip6_use_tempaddr = 0;
-	ip6_temp_preferred_lifetime = DEF_TEMP_PREFERRED_LIFETIME;
-	ip6_temp_valid_lifetime = DEF_TEMP_VALID_LIFETIME;
-	ip6_temp_regen_advance = TEMPADDR_REGEN_ADVANCE;
+	V_ip6_use_tempaddr = 0;
+	V_ip6_temp_preferred_lifetime = DEF_TEMP_PREFERRED_LIFETIME;
+	V_ip6_temp_valid_lifetime = DEF_TEMP_VALID_LIFETIME;
+	V_ip6_temp_regen_advance = TEMPADDR_REGEN_ADVANCE;
 
 	all1_sa.sin6_family = AF_INET6;
 	all1_sa.sin6_len = sizeof(struct sockaddr_in6);
diff --git a/sys/netinet6/vinet6.h b/sys/netinet6/vinet6.h
index a84be4fdb317..d509977434b1 100644
--- a/sys/netinet6/vinet6.h
+++ b/sys/netinet6/vinet6.h
@@ -89,7 +89,7 @@ struct vnet_inet6 {
 	int				_dad_init;
 
 	int				_icmp6errpps_count;
-	int				_icmp6errppslim_last;
+	struct timeval			_icmp6errppslim_last;
 
 	int 				_ip6_forwarding;
 	int				_ip6_sendredirects;
@@ -156,6 +156,12 @@ struct vnet_inet6 {
 	struct ip6_pktopts		_ip6_opts;
 };
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_inet6 vnet_inet6_0;
+#endif
+#endif
+
 #define	INIT_VNET_INET6(vnet) \
 	INIT_FROM_VNET(vnet, VNET_MOD_INET6, struct vnet_inet6, vnet_inet6)
 
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 2fd83f0a148f..541e42e4aced 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -97,6 +97,12 @@
 
 #include <opencrypto/cryptodev.h>
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+struct vnet_ipsec vnet_ipsec_0;
+#endif
+#endif
+
 #ifdef VIMAGE_GLOBALS
 /* NB: name changed so netstat doesn't use it */
 struct ipsecstat ipsec4stat;
diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h
index de97452c77d7..5b26c0ea8d9a 100644
--- a/sys/netipsec/vipsec.h
+++ b/sys/netipsec/vipsec.h
@@ -109,6 +109,12 @@ struct vnet_ipsec {
 	LIST_HEAD(, secspacq)	_spacqtree;
 };
 
+#ifndef VIMAGE
+#ifndef VIMAGE_GLOBALS
+extern struct vnet_ipsec vnet_ipsec_0;
+#endif
+#endif
+
 /*
  * Symbol translation macros
  */
diff --git a/sys/sys/kernel.h b/sys/sys/kernel.h
index d224733193b1..16fab6cef963 100644
--- a/sys/sys/kernel.h
+++ b/sys/sys/kernel.h
@@ -117,6 +117,7 @@ enum sysinit_sub_id {
 	SI_SUB_MAC		= 0x2180000,	/* TrustedBSD MAC subsystem */
 	SI_SUB_MAC_POLICY	= 0x21C0000,	/* TrustedBSD MAC policies */
 	SI_SUB_MAC_LATE		= 0x21D0000,	/* TrustedBSD MAC subsystem */
+	SI_SUB_VIMAGE		= 0x21E0000,	/* vimage infrastructure */
 	SI_SUB_INTRINSIC	= 0x2200000,	/* proc 0*/
 	SI_SUB_VM_CONF		= 0x2300000,	/* config VM, set limits*/
 	SI_SUB_DDB_SERVICES	= 0x2380000,	/* capture, scripting, etc. */
diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h
index f1cb04a709e3..a92f190bc9c9 100644
--- a/sys/sys/sysctl.h
+++ b/sys/sys/sysctl.h
@@ -227,16 +227,23 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
 
 #ifdef VIMAGE
 #define	SYSCTL_V_OID(subs, mod, parent, nbr, name, kind, a1, a2,	\
-	     handler, fmt, descr)					\
+	    handler, fmt, descr)					\
 	static struct sysctl_oid sysctl__##parent##_##name = {		\
 		&sysctl_##parent##_children, { 0 }, nbr, kind,		\
 		(void *) offsetof(struct mod, _##a1), a2, #name,	\
 		handler, fmt, 0, __DESCR(descr), subs, V_MOD_##mod };	\
 	DATA_SET(sysctl_set, sysctl__##parent##_##name)
 #else
+#ifdef VIMAGE_GLOBALS
 #define	SYSCTL_V_OID(subs, mod, parent, nbr, name, kind, a1, a2,	\
 	    handler, fmt, descr)					\
 	SYSCTL_OID(parent, nbr, name, kind, &a1, a2, handler, fmt, descr)
+#else
+#define	SYSCTL_V_OID(subs, mod, parent, nbr, name, kind, a1, a2,	\
+	    handler, fmt, descr)					\
+	SYSCTL_OID(parent, nbr, name, kind, & mod ## _0._ ## a1, a2,	\
+	    handler, fmt, descr)
+#endif
 #endif
 
 #define SYSCTL_ADD_OID(ctx, parent, nbr, name, kind, a1, a2, handler, fmt, descr) \
@@ -262,9 +269,15 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
 	SYSCTL_V_OID(subs, mod, parent, nbr, name, CTLTYPE_STRING|(access), \
 		sym, len, sysctl_handle_v_string, "A", descr)
 #else
+#ifdef VIMAGE_GLOBALS
 #define	SYSCTL_V_STRING(subs, mod, parent, nbr, name, access, sym, len, descr) \
 	SYSCTL_OID(parent, nbr, name, CTLTYPE_STRING|(access), \
 		&sym, len, sysctl_handle_string, "A", descr)
+#else
+#define	SYSCTL_V_STRING(subs, mod, parent, nbr, name, access, sym, len, descr) \
+	SYSCTL_OID(parent, nbr, name, CTLTYPE_STRING|(access), \
+		& mod ## _0._ ## sym, len, sysctl_handle_string, "A", descr)
+#endif
 #endif
 
 #define SYSCTL_ADD_STRING(ctx, parent, nbr, name, access, arg, len, descr)  \
@@ -281,9 +294,15 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
 	SYSCTL_V_OID(subs, mod, parent, nbr, name, CTLTYPE_INT|(access), \
 		sym, val, sysctl_handle_v_int, "I", descr)
 #else
+#ifdef VIMAGE_GLOBALS
 #define	SYSCTL_V_INT(subs, mod, parent, nbr, name, access, sym, val, descr) \
 	SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|(access), \
 		&sym, val, sysctl_handle_int, "I", descr)
+#else
+#define	SYSCTL_V_INT(subs, mod, parent, nbr, name, access, sym, val, descr) \
+	SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|(access), \
+		& mod ## _0._ ## sym, val, sysctl_handle_int, "I", descr)
+#endif
 #endif
 
 #define SYSCTL_ADD_INT(ctx, parent, nbr, name, access, ptr, val, descr)	    \
@@ -300,9 +319,15 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
 	SYSCTL_V_OID(subs, mod, parent, nbr, name, CTLTYPE_UINT|(access), \
 		sym, val, sysctl_handle_v_int, "IU", descr)
 #else
+#ifdef VIMAGE_GLOBALS
 #define	SYSCTL_V_UINT(subs, mod, parent, nbr, name, access, sym, val, descr) \
 	SYSCTL_OID(parent, nbr, name, CTLTYPE_UINT|(access), \
 		&sym, val, sysctl_handle_int, "IU", descr)
+#else
+#define	SYSCTL_V_UINT(subs, mod, parent, nbr, name, access, sym, val, descr) \
+	SYSCTL_OID(parent, nbr, name, CTLTYPE_UINT|(access), \
+		& mod ## _0._ ## sym, val, sysctl_handle_int, "IU", descr)
+#endif
 #endif
 
 #define SYSCTL_ADD_UINT(ctx, parent, nbr, name, access, ptr, val, descr)    \
@@ -374,11 +399,19 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
 		sym, sizeof(struct type), sysctl_handle_v_opaque, \
 		"S," #type, descr)
 #else
+#ifdef VIMAGE_GLOBALS
 #define	SYSCTL_V_STRUCT(subs, mod, parent, nbr, name, access, sym, \
 	    type, descr) \
 	SYSCTL_OID(parent, nbr, name, CTLTYPE_OPAQUE|(access), \
 		&sym, sizeof(struct type), sysctl_handle_opaque, \
 		"S," #type, descr)
+#else
+#define	SYSCTL_V_STRUCT(subs, mod, parent, nbr, name, access, sym, \
+	    type, descr) \
+	SYSCTL_OID(parent, nbr, name, CTLTYPE_OPAQUE|(access), \
+		& mod ## _0._ ## sym, sizeof(struct type), \
+		sysctl_handle_opaque, "S," #type, descr)
+#endif
 #endif
 
 #define SYSCTL_ADD_STRUCT(ctx, parent, nbr, name, access, ptr, type, descr) \
diff --git a/sys/sys/vimage.h b/sys/sys/vimage.h
index 91240042374a..fd6e00c0dc71 100644
--- a/sys/sys/vimage.h
+++ b/sys/sys/vimage.h
@@ -33,14 +33,54 @@
 #ifndef	_SYS_VIMAGE_H_
 #define	_SYS_VIMAGE_H_
 
-#define VIMAGE_GLOBALS 1
+#include <sys/queue.h>
+
+struct kld_sym_lookup;
+
+struct vnet_symmap {
+	char	*name;
+	void	*base;
+	size_t	size;
+};
+
+struct vnet_modinfo {
+	char				*vmi_name;
+	struct vnet_symmap		*vmi_symmap;
+};
+
+struct vnet_modlink {
+	TAILQ_ENTRY(vnet_modlink)	vml_mod_le;
+	const struct vnet_modinfo	*vml_modinfo;
+};
+
+#define VNET_MOD_DECLARE(m_name_uc, m_name_lc, m_iattach, m_idetach, 	\
+    m_dependson, m_symmap)						\
+	static const struct vnet_modinfo vnet_##m_name_lc##_modinfo = {	\
+		.vmi_name		= #m_name_lc,			\
+		.vmi_symmap		= m_symmap			\
+};
+
+#ifdef VIMAGE_GLOBALS
+#define	VSYM(base, sym) (sym)
+#else
+#ifdef VIMAGE
+#error "No option VIMAGE yet!"
+#else
+#define	VSYM(base, sym) (base ## _0._ ## sym)
+#endif
+#endif
+
+#define VNET_SYMMAP(mod, name)						\
+	{ #name, &(vnet_ ## mod ## _0._ ## name),			\
+	sizeof(vnet_ ## mod ## _0._ ## name) }
+
+#define VNET_SYMMAP_END		{ NULL, 0 }
 
 /* Non-VIMAGE null-macros */
 #define	CURVNET_SET(arg)
 #define	CURVNET_SET_QUIET(arg)
 #define	CURVNET_RESTORE()
 #define	VNET_ASSERT(condition)
-#define	VSYM(base, sym) (sym)
 #define	INIT_FROM_VNET(vnet, modindex, modtype, sym)
 #define	VNET_ITERATOR_DECL(arg)
 #define	VNET_FOREACH(arg)
@@ -58,11 +98,14 @@
 #define	P_TO_VCPU(p)
 
 /* XXX those defines bellow should probably go into vprocg.h and vcpu.h */
-#define	VPROCG(sym)		VSYM(vprocg, sym)
-#define	VCPU(sym)		VSYM(vcpu, sym)
+#define	VPROCG(sym)		(sym)
+#define	VCPU(sym)		(sym)
 
 #define	V_hostname		VPROCG(hostname)
-#define	G_hostname		VSYM(basevprocg, hostname) /* global hostname */
+#define	G_hostname		VPROCG(hostname) /* global hostname */
 #define	V_domainname		VPROCG(domainname)
 
+int	vi_symlookup(struct kld_sym_lookup *, char *);
+void	vnet_mod_register(const struct vnet_modinfo *);
+
 #endif /* !_SYS_VIMAGE_H_ */