Change the initialization methodology for global variables scheduled

for virtualization.

Instead of initializing the affected global variables at instatiation,
assign initial values to them in initializer functions.  As a rule,
initialization at instatiation for such variables should never be
introduced again from now on.  Furthermore, enclose all instantiations
of such global variables in #ifdef VIMAGE_GLOBALS blocks.

Essentialy, this change should have zero functional impact.  In the next
phase of merging network stack virtualization infrastructure from
p4/vimage branch, the new initialization methology will allow us to
switch between using global variables and their counterparts residing in
virtualization containers with minimum code churn, and in the long run
allow us to intialize multiple instances of such container structures.

Discussed at:	devsummit Strassburg
Reviewed by:	bz, julian
Approved by:	julian (mentor)
Obtained from:	//depot/projects/vimage-commit2/...
X-MFC after:	never
Sponsored by:	NLnet Foundation, The FreeBSD Foundation

28 files changed, 315 insertions, 117 deletions

diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index 3d1eba6..130ba0c 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -82,7 +82,12 @@ SYSCTL_DECL(_net_link_ether);
 SYSCTL_NODE(_net_link_ether, PF_INET, inet, CTLFLAG_RW, 0, "");
 
 /* timer values */
-static int arpt_keep = (20*60); /* once resolved, good for 20 more minutes */
+#ifdef VIMAGE_GLOBALS
+static int	arpt_keep; /* once resolved, good for 20 more minutes */
+static int	arp_maxtries;
+static int	useloopback; /* use loopback interface for local traffic */
+static int	arp_proxyall;
+#endif
 
 SYSCTL_INT(_net_link_ether_inet, OID_AUTO, max_age, CTLFLAG_RW, 
 	   &arpt_keep, 0, "ARP entry lifetime in seconds");
@@ -99,10 +104,6 @@ struct llinfo_arp {
 
 static struct	ifqueue arpintrq;
 
-static int	arp_maxtries = 5;
-static int	useloopback = 1; /* use loopback interface for local traffic */
-static int	arp_proxyall = 0;
-
 SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, maxtries,
 	CTLFLAG_RW, arp_maxtries, 0,
 	"ARP resolution attempts before returning error");
@@ -1076,6 +1077,12 @@ arp_ifinit2(struct ifnet *ifp, struct ifaddr *ifa, u_char *enaddr)
 static void
 arp_init(void)
 {
+	INIT_VNET_INET(curvnet);
+
+	V_arpt_keep = (20*60); /* once resolved, good for 20 more minutes */
+	V_arp_maxtries = 5;
+	V_useloopback = 1; /* use loopback interface for local traffic */
+	V_arp_proxyall = 0;
 
 	arpintrq.ifq_maxlen = 50;
 	mtx_init(&arpintrq.ifq_mtx, "arp_inq", NULL, MTX_DEF);
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index d047abe..f77434c 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -80,7 +80,9 @@ static MALLOC_DEFINE(M_IGMP, "igmp", "igmp state");
 static struct router_info	*find_rti(struct ifnet *ifp);
 static void	igmp_sendpkt(struct in_multi *, int, unsigned long);
 
+#ifdef VIMAGE_GLOBALS
 static struct igmpstat igmpstat;
+#endif
 
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_igmp, IGMPCTL_STATS,
     stats, CTLFLAG_RW, igmpstat, igmpstat, "");
@@ -92,8 +94,10 @@ SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_igmp, IGMPCTL_STATS,
  * reference counting is used.  We allow unlocked reads of router_info data
  * when accessed via an in_multi read-only.
  */
-static struct mtx igmp_mtx;
+#ifdef VIMAGE_GLOBALS
 static SLIST_HEAD(, router_info) router_info_head;
+#endif
+static struct mtx igmp_mtx;
 static int igmp_timers_are_running;
 
 /*
diff --git a/sys/netinet/in.c b/sys/netinet/in.c
index 0ce7dbd..f2d7ccb 100644
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -66,18 +66,20 @@ static int	in_ifinit(struct ifnet *,
 	    struct in_ifaddr *, struct sockaddr_in *, int);
 static void	in_purgemaddrs(struct ifnet *);
 
-static int subnetsarelocal = 0;
+#ifdef VIMAGE_GLOBALS
+static int subnetsarelocal;
+static int sameprefixcarponly;
+extern struct inpcbinfo ripcbinfo;
+extern struct inpcbinfo udbinfo;
+#endif
+
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, subnets_are_local,
 	CTLFLAG_RW, subnetsarelocal, 0,
 	"Treat all subnets as directly connected");
-static int sameprefixcarponly = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, same_prefix_carp_only,
 	CTLFLAG_RW, sameprefixcarponly, 0,
 	"Refuse to create same prefixes on different interfaces");
 
-extern struct inpcbinfo ripcbinfo;
-extern struct inpcbinfo udbinfo;
-
 /*
  * Return 1 if an internet address is for a ``local'' host
  * (one to which we have a connection).  If subnetsarelocal
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c
index 6165421..f347102 100644
--- a/sys/netinet/in_gif.c
+++ b/sys/netinet/in_gif.c
@@ -85,7 +85,9 @@ struct protosw in_gif_protosw = {
 	.pr_usrreqs =		&rip_usrreqs
 };
 
-static int ip_gif_ttl = GIF_TTL;
+#ifdef VIMAGE_GLOBALS
+extern int ip_gif_ttl;
+#endif
 SYSCTL_V_INT(V_NET, vnet_gif, _net_inet_ip, IPCTL_GIF_TTL, gifttl,
 	CTLFLAG_RW, ip_gif_ttl,	0, "");
 
diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c
index 65e6be8..6cf6d92 100644
--- a/sys/netinet/in_mcast.c
+++ b/sys/netinet/in_mcast.c
@@ -86,7 +86,9 @@ static MALLOC_DEFINE(M_IPMSOURCE, "in_msource", "IPv4 multicast source filter");
  * ip_output() to send IGMP packets while holding the lock; this probably is
  * not quite desirable.
  */
+#ifdef VIMAGE_GLOBALS
 struct in_multihead in_multihead;	/* XXX BSS initialization */
+#endif
 struct mtx in_multi_mtx;
 MTX_SYSINIT(in_multi_mtx, &in_multi_mtx, "in_multi_mtx", MTX_DEF | MTX_RECURSE);
 
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 7732133..8611bee 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -84,32 +84,34 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
+#ifdef VIMAGE_GLOBALS
 /*
  * These configure the range of local port addresses assigned to
  * "unspecified" outgoing connections/packets/whatever.
  */
-int	ipport_lowfirstauto  = IPPORT_RESERVED - 1;	/* 1023 */
-int	ipport_lowlastauto = IPPORT_RESERVEDSTART;	/* 600 */
-int	ipport_firstauto = IPPORT_EPHEMERALFIRST;	/* 10000 */
-int	ipport_lastauto  = IPPORT_EPHEMERALLAST;	/* 65535 */
-int	ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 49152 */
-int	ipport_hilastauto  = IPPORT_HILASTAUTO;		/* 65535 */
+int	ipport_lowfirstauto;
+int	ipport_lowlastauto;
+int	ipport_firstauto;
+int	ipport_lastauto;
+int	ipport_hifirstauto;
+int	ipport_hilastauto;
 
 /*
  * Reserved ports accessible only to root. There are significant
  * security considerations that must be accounted for when changing these,
  * but the security benefits can be great. Please be careful.
  */
-int	ipport_reservedhigh = IPPORT_RESERVED - 1;	/* 1023 */
-int	ipport_reservedlow = 0;
+int	ipport_reservedhigh;
+int	ipport_reservedlow;
 
 /* Variables dealing with random ephemeral port allocation. */
-int	ipport_randomized = 1;	/* user controlled via sysctl */
-int	ipport_randomcps = 10;	/* user controlled via sysctl */
-int	ipport_randomtime = 45;	/* user controlled via sysctl */
-int	ipport_stoprandom = 0;	/* toggled by ipport_tick */
+int	ipport_randomized;
+int	ipport_randomcps;
+int	ipport_randomtime;
+int	ipport_stoprandom;
 int	ipport_tcpallocs;
 int	ipport_tcplastcount;
+#endif
 
 #define RANGECHK(var, min, max) \
 	if ((var) < (min)) { (var) = (min); } \
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 9a43511..076b262 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -450,6 +450,8 @@ extern int	ipport_lastauto;
 extern int	ipport_hifirstauto;
 extern int	ipport_hilastauto;
 extern int	ipport_randomized;
+extern int	ipport_randomcps;
+extern int	ipport_randomtime;
 extern int	ipport_stoprandom;
 extern int	ipport_tcpallocs;
 extern struct callout ipport_tick_callout;
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index aac2104..8af52f2 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@@ -193,6 +193,7 @@ struct protosw inetsw[] = {
 	.pr_flags =		PR_ATOMIC|PR_ADDR|PR_LASTHDR,
 	.pr_input =		icmp_input,
 	.pr_ctloutput =		rip_ctloutput,
+	.pr_init =		icmp_init,
 	.pr_usrreqs =		&rip_usrreqs
 },
 {
diff --git a/sys/netinet/in_rmx.c b/sys/netinet/in_rmx.c
index 66b8bb3..d70aaa6 100644
--- a/sys/netinet/in_rmx.c
+++ b/sys/netinet/in_rmx.c
@@ -151,17 +151,20 @@ in_matroute(void *v_arg, struct radix_node_head *head)
 	return rn;
 }
 
-static int rtq_reallyold = 60*60;		/* one hour is "really old" */
+#ifdef VIMAGE_GLOBALS
+static int rtq_reallyold;
+static int rtq_minreallyold;
+static int rtq_toomany;
+#endif
+
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTEXPIRE, rtexpire,
     CTLFLAG_RW, rtq_reallyold, 0,
     "Default expiration time on dynamically learned routes");
 
-static int rtq_minreallyold = 10;  /* never automatically crank down to less */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTMINEXPIRE,
     rtminexpire, CTLFLAG_RW, rtq_minreallyold, 0,
     "Minimum time to attempt to hold onto dynamically learned routes");
 
-static int rtq_toomany = 128;		/* 128 cached routes is "too many" */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTMAXCACHE,
     rtmaxcache, CTLFLAG_RW, rtq_toomany, 0,
     "Upper limit on dynamically learned routes");
@@ -256,8 +259,10 @@ in_rtqkill(struct radix_node *rn, void *rock)
 }
 
 #define RTQ_TIMEOUT	60*10	/* run no less than once every ten minutes */
-static int rtq_timeout = RTQ_TIMEOUT;
+#ifdef VIMAGE_GLOBALS
+static int rtq_timeout;
 static struct callout rtq_timer;
+#endif
 
 static void in_rtqtimo_one(void *rock);
 
@@ -376,6 +381,11 @@ in_inithead(void **head, int off)
 	if (off == 0)		/* XXX MRT  see above */
 		return 1;	/* only do the rest for a real routing table */
 
+	V_rtq_reallyold = 60*60; /* one hour is "really old" */
+	V_rtq_minreallyold = 10; /* never automatically crank down to less */
+	V_rtq_toomany = 128;	 /* 128 cached routes is "too many" */
+	V_rtq_timeout = RTQ_TIMEOUT;
+
 	rnh = *head;
 	rnh->rnh_addaddr = in_addroute;
 	rnh->rnh_matchaddr = in_matroute;
diff --git a/sys/netinet/in_var.h b/sys/netinet/in_var.h
index 4999e90..1190826 100644
--- a/sys/netinet/in_var.h
+++ b/sys/netinet/in_var.h
@@ -138,6 +138,15 @@ do { \
 #endif
 
 /*
+ * IP datagram reassembly.
+ */
+#define	IPREASS_NHASH_LOG2	6
+#define	IPREASS_NHASH		(1 << IPREASS_NHASH_LOG2)
+#define	IPREASS_HMASK		(IPREASS_NHASH - 1)
+#define	IPREASS_HASH(x,y) \
+	(((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
+
+/*
  * This information should be part of the ifnet structure but we don't wish
  * to change that - as it might break a number of things
  */
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index bac4534..dc000cb 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -112,8 +112,10 @@ __FBSDID("$FreeBSD$");
  */
 
 /* Internal variables. */
+#ifdef VIMAGE_GLOBALS
 static struct inpcbhead divcb;
 static struct inpcbinfo divcbinfo;
+#endif
 
 static u_long	div_sendspace = DIVSNDQ;	/* XXX sysctl ? */
 static u_long	div_recvspace = DIVRCVQ;	/* XXX sysctl ? */
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 4cdfd6b..7af1758 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -106,7 +106,9 @@ __FBSDID("$FreeBSD$");
 
 #include <machine/in_cksum.h>
 
-static int ipfastforward_active = 0;
+#ifdef VIMAGE_GLOBALS
+static int ipfastforward_active;
+#endif
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, fastforwarding,
     CTLFLAG_RW, ipfastforward_active, 0, "Enable fast IP forwarding");
 
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 2487533..e631dae 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -77,47 +77,51 @@ __FBSDID("$FreeBSD$");
  * host table maintenance routines.
  */
 
-struct	icmpstat icmpstat;
+#ifdef VIMAGE_GLOBALS
+struct icmpstat	icmpstat;
+static int	icmpmaskrepl;
+static u_int	icmpmaskfake;
+static int	drop_redirect;
+static int	log_redirect;
+static int	icmplim;
+static int	icmplim_output;
+static char	reply_src[IFNAMSIZ];
+static int	icmp_rfi;
+static int	icmp_quotelen;
+static int	icmpbmcastecho;
+#endif
+
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_STATS, stats,
 	CTLFLAG_RW, icmpstat, icmpstat, "");
 
-static int	icmpmaskrepl = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_MASKREPL, maskrepl,
 	CTLFLAG_RW, icmpmaskrepl, 0,
 	"Reply to ICMP Address Mask Request packets.");
 
-static u_int	icmpmaskfake = 0;
 SYSCTL_V_UINT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, maskfake, CTLFLAG_RW,
 	icmpmaskfake, 0, "Fake reply to ICMP Address Mask Request packets.");
 
-static int	drop_redirect = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, drop_redirect,
 	CTLFLAG_RW, drop_redirect, 0, "Ignore ICMP redirects");
 
-static int	log_redirect = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, log_redirect,
 	CTLFLAG_RW, log_redirect, 0, "Log ICMP redirects to the console");
 
-static int      icmplim = 200;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_ICMPLIM, icmplim,
 	CTLFLAG_RW, icmplim, 0, "Maximum number of ICMP responses per second");
 
-static int	icmplim_output = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, icmplim_output,
 	CTLFLAG_RW, icmplim_output, 0,
 	"Enable rate limiting of ICMP responses");
 
-static char	reply_src[IFNAMSIZ];
 SYSCTL_V_STRING(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, reply_src,
 	CTLFLAG_RW, reply_src, IFNAMSIZ,
 	"icmp reply source for non-local packets.");
 
-static int	icmp_rfi = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, reply_from_interface,
 	CTLFLAG_RW, icmp_rfi, 0, "ICMP reply from incoming interface for "
 	"non-local packets");
 
-static int	icmp_quotelen = 8;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_RW,
 	icmp_quotelen, 0, "Number of bytes from original packet to "
 	"quote in ICMP reply");
@@ -126,7 +130,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_RW,
  * ICMP broadcast echo sysctl
  */
 
-static int	icmpbmcastecho = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, bmcastecho,
 	CTLFLAG_RW, icmpbmcastecho, 0, "");
 
@@ -140,6 +143,22 @@ static void	icmp_send(struct mbuf *, struct mbuf *);
 
 extern	struct protosw inetsw[];
 
+void
+icmp_init(void)
+{
+	INIT_VNET_INET(curvnet);
+
+	V_icmpmaskrepl = 0;
+	V_icmpmaskfake = 0;
+	V_drop_redirect = 0;
+	V_log_redirect = 0;
+	V_icmplim = 200;
+	V_icmplim_output = 1;
+	V_icmp_rfi = 0;
+	V_icmp_quotelen = 8;
+	V_icmpbmcastecho = 0;
+}
+
 /*
  * Generate an error packet of type error
  * in response to bad packet ip.
diff --git a/sys/netinet/ip_icmp.h b/sys/netinet/ip_icmp.h
index e212083..a55c6fc 100644
--- a/sys/netinet/ip_icmp.h
+++ b/sys/netinet/ip_icmp.h
@@ -204,6 +204,7 @@ struct icmp {
 #ifdef _KERNEL
 void	icmp_error(struct mbuf *, int, int, n_long, int);
 void	icmp_input(struct mbuf *, int);
+void	icmp_init(void);
 int	ip_next_mtu(int, int);
 #endif
 
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index ce92c2f..8e40d84 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -89,33 +89,47 @@ __FBSDID("$FreeBSD$");
 CTASSERT(sizeof(struct ip) == 20);
 #endif
 
-int rsvp_on = 0;
+#ifdef VIMAGE_GLOBALS
+static int	ipsendredirects;
+static int	ip_checkinterface;
+static int	ip_keepfaith;
+static int	ip_sendsourcequench;
+int	ip_defttl;
+int	ip_do_randomid;
+int	ipforwarding;
+struct	in_ifaddrhead in_ifaddrhead; 		/* first inet address */
+struct	in_ifaddrhashhead *in_ifaddrhashtbl;	/* inet addr hash table  */
+u_long 	in_ifaddrhmask;				/* mask for hash table */
+struct ipstat ipstat;
+static int ip_rsvp_on;
+struct socket *ip_rsvpd;
+int	rsvp_on;
+static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH];
+static int	maxnipq;	/* Administrative limit on # reass queues. */
+static int	maxfragsperpacket;
+int	ipstealth;
+static int	nipq;	/* Total # of reass queues */
+#endif
 
-int	ipforwarding = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_FORWARDING,
     forwarding, CTLFLAG_RW, ipforwarding, 0,
     "Enable IP forwarding between interfaces");
 
-static int	ipsendredirects = 1; /* XXX */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_SENDREDIRECTS,
     redirect, CTLFLAG_RW, ipsendredirects, 0,
     "Enable sending IP redirects");
 
-int	ip_defttl = IPDEFTTL;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_DEFTTL,
     ttl, CTLFLAG_RW, ip_defttl, 0, "Maximum TTL on IP packets");
 
-static int	ip_keepfaith = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_KEEPFAITH,
     keepfaith, CTLFLAG_RW, ip_keepfaith,	0,
     "Enable packet capture for FAITH IPv4->IPv6 translater daemon");
 
-static int	ip_sendsourcequench = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO,
     sendsourcequench, CTLFLAG_RW, ip_sendsourcequench, 0,
     "Enable the transmission of source quench packets");
 
-int	ip_do_randomid = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, random_id,
     CTLFLAG_RW, ip_do_randomid, 0, "Assign random ip_id values");
 
@@ -132,7 +146,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, random_id,
  * to the loopback interface instead of the interface where the
  * packets for those addresses are received.
  */
-static int	ip_checkinterface = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO,
     check_interface, CTLFLAG_RW, ip_checkinterface, 0,
     "Verify packet arrives on correct interface");
@@ -145,9 +158,6 @@ static int	ipqmaxlen = IFQ_MAXLEN;
 extern	struct domain inetdomain;
 extern	struct protosw inetsw[];
 u_char	ip_protox[IPPROTO_MAX];
-struct	in_ifaddrhead in_ifaddrhead; 		/* first inet address */
-struct	in_ifaddrhashhead *in_ifaddrhashtbl;	/* inet addr hash table  */
-u_long 	in_ifaddrhmask;				/* mask for hash table */
 
 SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
     &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
@@ -155,21 +165,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
     &ipintrq.ifq_drops, 0,
     "Number of packets dropped from the IP input queue");
 
-struct ipstat ipstat;
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RW,
     ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
 
-/*
- * IP datagram reassembly.
- */
-#define IPREASS_NHASH_LOG2      6
-#define IPREASS_NHASH           (1 << IPREASS_NHASH_LOG2)
-#define IPREASS_HMASK           (IPREASS_NHASH - 1)
-#define IPREASS_HASH(x,y) \
-	(((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
-
 static uma_zone_t ipq_zone;
-static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH];
 static struct mtx ipqlock;
 
 #define	IPQ_LOCK()	mtx_lock(&ipqlock)
@@ -180,13 +179,10 @@ static struct mtx ipqlock;
 static void	maxnipq_update(void);
 static void	ipq_zone_change(void *);
 
-static int	maxnipq;	/* Administrative limit on # reass queues. */
-static int	nipq = 0;	/* Total # of reass queues */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, fragpackets,
     CTLFLAG_RD, nipq, 0,
     "Current number of IPv4 fragment reassembly queue entries");
 
-static int	maxfragsperpacket;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, maxfragsperpacket,
     CTLFLAG_RW, maxfragsperpacket, 0,
     "Maximum number of IPv4 fragments allowed per packet");
@@ -199,7 +195,6 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
 #endif
 
 #ifdef IPSTEALTH
-int	ipstealth = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
     ipstealth, 0, "IP stealth mode, no TTL decrementation on forwarding");
 #endif
@@ -225,6 +220,37 @@ ip_init(void)
 	struct protosw *pr;
 	int i;
 
+	V_ipsendredirects = 1; /* XXX */
+	V_ip_checkinterface = 0;
+	V_ip_keepfaith = 0;
+	V_ip_sendsourcequench = 0;
+	V_rsvp_on = 0;
+	V_ip_defttl = IPDEFTTL;
+	V_ip_do_randomid = 0;
+	V_ipforwarding = 0;
+	V_ipstealth = 0;
+	V_nipq = 0;	/* Total # of reass queues */
+
+	V_ipport_lowfirstauto = IPPORT_RESERVED - 1;	/* 1023 */
+	V_ipport_lowlastauto = IPPORT_RESERVEDSTART;	/* 600 */
+	V_ipport_firstauto = IPPORT_EPHEMERALFIRST;	/* 10000 */
+	V_ipport_lastauto = IPPORT_EPHEMERALLAST;	/* 65535 */
+	V_ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 49152 */
+	V_ipport_hilastauto = IPPORT_HILASTAUTO;	/* 65535 */
+	V_ipport_reservedhigh = IPPORT_RESERVED - 1;	/* 1023 */
+	V_ipport_reservedlow = 0;
+	V_ipport_randomized = 1;	/* user controlled via sysctl */
+	V_ipport_randomcps = 10;	/* user controlled via sysctl */
+	V_ipport_randomtime = 45;	/* user controlled via sysctl */
+	V_ipport_stoprandom = 0;	/* toggled by ipport_tick */
+
+#ifdef NOTYET
+	/* XXX global static but not instantiated in this file */
+	V_ipfastforward_active = 0;
+	V_subnetsarelocal = 0;
+	V_sameprefixcarponly = 0;
+#endif
+
 	TAILQ_INIT(&V_in_ifaddrhead);
 	V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &V_in_ifaddrhmask);
 	pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
@@ -1591,8 +1617,6 @@ makedummy:
  * locking.  This code remains in ip_input.c as ip_mroute.c is optionally
  * compiled.
  */
-static int ip_rsvp_on;
-struct socket *ip_rsvpd;
 int
 ip_rsvp_init(struct socket *so)
 {
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 7612f67..75ef09d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -83,7 +83,9 @@ __FBSDID("$FreeBSD$");
 				  (ntohl(a.s_addr)>>8)&0xFF,\
 				  (ntohl(a.s_addr))&0xFF, y);
 
+#ifdef VIMAGE_GLOBALS
 u_short ip_id;
+#endif
 
 #ifdef MBUF_STRESS_TEST
 int mbuf_frag_size = 0;
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 8eca00a..dfe902e 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -76,8 +76,10 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
+#ifdef VIMAGE_GLOBALS
 struct	inpcbhead ripcb;
 struct	inpcbinfo ripcbinfo;
+#endif
 
 /* control hooks for ipfw and dummynet */
 ip_fw_ctl_t *ip_fw_ctl_ptr = NULL;
@@ -91,7 +93,9 @@ ip_dn_ctl_t *ip_dn_ctl_ptr = NULL;
 /*
  * The socket used to communicate with the multicast routing daemon.
  */
+#ifdef VIMAGE_GLOBALS
 struct socket  *ip_mrouter;
+#endif
 
 /*
  * The various mrouter and rsvp functions.
diff --git a/sys/netinet/tcp_hostcache.c b/sys/netinet/tcp_hostcache.c
index ec8f9ba..25dc44a 100644
--- a/sys/netinet/tcp_hostcache.c
+++ b/sys/netinet/tcp_hostcache.c
@@ -146,9 +146,11 @@ struct tcp_hostcache {
 	int	prune;
 	int	purgeall;
 };
-static struct tcp_hostcache tcp_hostcache;
 
+#ifdef VIMAGE_GLOBALS
+static struct tcp_hostcache tcp_hostcache;
 static struct callout tcp_hc_callout;
+#endif
 
 static struct hc_metrics *tcp_hc_lookup(struct in_conninfo *);
 static struct hc_metrics *tcp_hc_insert(struct in_conninfo *);
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index a7515ef..4c17f10d 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -99,7 +99,21 @@ __FBSDID("$FreeBSD$");
 
 static const int tcprexmtthresh = 3;
 
+#ifdef VIMAGE_GLOBALS
 struct	tcpstat tcpstat;
+int	blackhole;
+int	tcp_delack_enabled;
+int	drop_synfin;
+int	tcp_do_rfc3042;
+int	tcp_do_rfc3390;
+int	tcp_do_ecn;
+int	tcp_ecn_maxretries;
+int	tcp_insecure_rst;
+int	tcp_do_autorcvbuf;
+int	tcp_autorcvbuf_inc;
+int	tcp_autorcvbuf_max;
+#endif
+
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_STATS, stats,
     CTLFLAG_RW, tcpstat , tcpstat,
     "TCP statistics (struct tcpstat, netinet/tcp_var.h)");
@@ -108,59 +122,50 @@ int tcp_log_in_vain = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW,
     &tcp_log_in_vain, 0, "Log all incoming TCP segments to closed ports");
 
-static int blackhole = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
     blackhole, 0, "Do not send RST on segments to closed ports");
 
-int tcp_delack_enabled = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, delayed_ack,
     CTLFLAG_RW, tcp_delack_enabled, 0,
     "Delay ACK to try and piggyback it onto a data packet");
 
-static int drop_synfin = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, drop_synfin,
     CTLFLAG_RW, drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
 
-static int tcp_do_rfc3042 = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
     tcp_do_rfc3042, 0, "Enable RFC 3042 (Limited Transmit)");
 
-static int tcp_do_rfc3390 = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW,
     tcp_do_rfc3390, 0,
     "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)");
 
-int	tcp_do_ecn = 0;
-int	tcp_ecn_maxretries = 1;
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, ecn, CTLFLAG_RW, 0, "TCP ECN");
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, enable,
     CTLFLAG_RW, tcp_do_ecn, 0, "TCP ECN support");
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, maxretries,
     CTLFLAG_RW, tcp_ecn_maxretries, 0, "Max retries before giving up on ECN");
 
-static int tcp_insecure_rst = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, insecure_rst,
     CTLFLAG_RW, tcp_insecure_rst, 0,
     "Follow the old (insecure) criteria for accepting RST packets");
 
-int	tcp_do_autorcvbuf = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_auto,
     CTLFLAG_RW, tcp_do_autorcvbuf, 0,
     "Enable automatic receive buffer sizing");
 
-int	tcp_autorcvbuf_inc = 16*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_inc,
     CTLFLAG_RW, tcp_autorcvbuf_inc, 0,
     "Incrementor step size of automatic receive buffer");
 
-int	tcp_autorcvbuf_max = 256*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_max,
     CTLFLAG_RW, tcp_autorcvbuf_max, 0,
     "Max size of automatic receive buffer");
 
+#ifdef VIMAGE_GLOBALS
 struct inpcbhead tcb;
-#define	tcb6	tcb  /* for KAME src sync over BSD*'s */
 struct inpcbinfo tcbinfo;
+#endif
+#define	tcb6	tcb  /* for KAME src sync over BSD*'s */
 
 static void	 tcp_dooptions(struct tcpopt *, u_char *, int, int);
 static void	 tcp_do_segment(struct mbuf *, struct tcphdr *,
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index b3a010b..ab92905 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -87,39 +87,42 @@ __FBSDID("$FreeBSD$");
 extern struct mbuf *m_copypack();
 #endif
 
-int path_mtu_discovery = 1;
+#ifdef VIMAGE_GLOBALS
+int path_mtu_discovery;
+int ss_fltsz;
+int ss_fltsz_local;
+int tcp_do_newreno;
+int tcp_do_tso;
+int tcp_do_autosndbuf;
+int tcp_autosndbuf_inc;
+int tcp_autosndbuf_max;
+#endif
+
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, path_mtu_discovery,
 	CTLFLAG_RW, path_mtu_discovery, 1, "Enable Path MTU Discovery");
 
-int ss_fltsz = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO,
 	slowstart_flightsize, CTLFLAG_RW,
 	ss_fltsz, 1, "Slow start flight size");
 
-int ss_fltsz_local = 4;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO,
 	local_slowstart_flightsize, CTLFLAG_RW,
 	ss_fltsz_local, 1, "Slow start flight size for local networks");
 
-int     tcp_do_newreno = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, newreno, CTLFLAG_RW,
 	tcp_do_newreno, 0, "Enable NewReno Algorithms");
 
-int	tcp_do_tso = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, tso, CTLFLAG_RW,
 	tcp_do_tso, 0, "Enable TCP Segmentation Offload");
 
-int	tcp_do_autosndbuf = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_auto,
 	CTLFLAG_RW,
 	tcp_do_autosndbuf, 0, "Enable automatic send buffer sizing");
 
-int	tcp_autosndbuf_inc = 8*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_inc,
 	CTLFLAG_RW, tcp_autosndbuf_inc, 0,
 	"Incrementor step size of automatic send buffer");
 
-int	tcp_autosndbuf_max = 256*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_max,
 	CTLFLAG_RW, tcp_autosndbuf_max, 0,
 	"Max size of automatic send buffer");
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 6f55e11..5f47be0 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -74,25 +74,28 @@ __FBSDID("$FreeBSD$");
 #include <netinet/tcp_debug.h>
 #endif /* TCPDEBUG */
 
+#ifdef VIMAGE_GLOBALS
+static int tcp_reass_maxseg;
+int tcp_reass_qsize;
+static int tcp_reass_maxqlen;
+static int tcp_reass_overflows;
+#endif
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
     "TCP Segment Reassembly Queue");
 
-static int tcp_reass_maxseg = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, maxsegments,
     CTLFLAG_RDTUN, tcp_reass_maxseg, 0,
     "Global maximum number of TCP Segments in Reassembly Queue");
 
-int tcp_reass_qsize = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, cursegments,
     CTLFLAG_RD, tcp_reass_qsize, 0,
     "Global number of TCP Segments currently in Reassembly Queue");
 
-static int tcp_reass_maxqlen = 48;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, maxqlen,
     CTLFLAG_RW, tcp_reass_maxqlen, 0,
     "Maximum number of TCP Segments per individual Reassembly Queue");
 
-static int tcp_reass_overflows = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, overflows,
     CTLFLAG_RD, tcp_reass_overflows, 0,
     "Global number of TCP Segment Reassembly Queue Overflows");
@@ -114,6 +117,11 @@ tcp_reass_init(void)
 {
 	INIT_VNET_INET(curvnet);
 
+	V_tcp_reass_maxseg = 0;
+	V_tcp_reass_qsize = 0;
+	V_tcp_reass_maxqlen = 48;
+	V_tcp_reass_overflows = 0;
+
 	V_tcp_reass_maxseg = nmbclusters / 16;
 	TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
 	    &V_tcp_reass_maxseg);
diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index 3c6ceca..9eb57ba 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -124,23 +124,26 @@ __FBSDID("$FreeBSD$");
 
 extern struct uma_zone *sack_hole_zone;
 
+#ifdef VIMAGE_GLOBALS
+int tcp_do_sack;
+int tcp_sack_maxholes;
+int tcp_sack_globalmaxholes;
+int tcp_sack_globalholes;
+#endif
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, sack, CTLFLAG_RW, 0, "TCP SACK");
-int tcp_do_sack = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, enable,
     CTLFLAG_RW, tcp_do_sack, 0, "Enable/Disable TCP SACK support");
 TUNABLE_INT("net.inet.tcp.sack.enable", &tcp_do_sack);
 
-static int tcp_sack_maxholes = 128;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, maxholes,
     CTLFLAG_RW, tcp_sack_maxholes, 0, 
     "Maximum number of TCP SACK holes allowed per connection");
 
-static int tcp_sack_globalmaxholes = 65536;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, globalmaxholes,
     CTLFLAG_RW, tcp_sack_globalmaxholes, 0, 
     "Global maximum number of TCP SACK holes");
 
-static int tcp_sack_globalholes = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, globalholes,
     CTLFLAG_RD, tcp_sack_globalholes, 0,
     "Global number of TCP SACK holes currently allocated");
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 02d654b..e28d40c 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -111,9 +111,20 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
-int	tcp_mssdflt = TCP_MSS;
+#ifdef VIMAGE_GLOBALS
+int	tcp_mssdflt;
 #ifdef INET6
-int	tcp_v6mssdflt = TCP6_MSS;
+int	tcp_v6mssdflt;
+#endif
+int	tcp_minmss;
+int	tcp_do_rfc1323;
+static int	icmp_may_rst;
+static int	tcp_isn_reseed_interval;
+static int	tcp_inflight_enable;
+static int	tcp_inflight_rttthresh;
+static int	tcp_inflight_min;
+static int	tcp_inflight_max;
+static int	tcp_inflight_stab;
 #endif
 
 static int
@@ -168,11 +179,9 @@ SYSCTL_PROC(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, CTLTYPE_INT|CTLFLAG_RW,
  * with packet generation and sending. Set to zero to disable MINMSS
  * checking. This setting prevents us from sending too small packets.
  */
-int	tcp_minmss = TCP_MINMSS;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, minmss,
     CTLFLAG_RW, tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
 
-int	tcp_do_rfc1323 = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323,
     CTLFLAG_RW, tcp_do_rfc1323, 0,
     "Enable rfc1323 (high performance TCP) extensions");
@@ -192,12 +201,10 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0,
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, pcbcount,
     CTLFLAG_RD, tcbinfo.ipi_count, 0, "Number of active PCBs");
 
-static int	icmp_may_rst = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, icmp_may_rst,
     CTLFLAG_RW, icmp_may_rst, 0,
     "Certain ICMP unreachable messages may abort connections in SYN_SENT");
 
-static int	tcp_isn_reseed_interval = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval,
     CTLFLAG_RW, tcp_isn_reseed_interval, 0,
     "Seconds between reseeding of ISN secret");
@@ -210,7 +217,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval,
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0,
     "TCP inflight data limiting");
 
-static int	tcp_inflight_enable = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, enable,
     CTLFLAG_RW, tcp_inflight_enable, 0,
     "Enable automatic TCP inflight data limiting");
@@ -219,20 +225,16 @@ static int	tcp_inflight_debug = 0;
 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW,
     &tcp_inflight_debug, 0, "Debug TCP inflight calculations");
 
-static int	tcp_inflight_rttthresh;
 SYSCTL_PROC(_net_inet_tcp_inflight, OID_AUTO, rttthresh, CTLTYPE_INT|CTLFLAG_RW,
     &tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks, "I",
     "RTT threshold below which inflight will deactivate itself");
 
-static int	tcp_inflight_min = 6144;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, min,
     CTLFLAG_RW, tcp_inflight_min, 0, "Lower-bound for TCP inflight window");
 
-static int	tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, max,
     CTLFLAG_RW, tcp_inflight_max, 0, "Upper-bound for TCP inflight window");
 
-static int	tcp_inflight_stab = 20;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, stab,
     CTLFLAG_RW, tcp_inflight_stab, 0,
     "Inflight Algorithm Stabilization 20 = 2 packets");
@@ -297,8 +299,49 @@ void
 tcp_init(void)
 {
 	INIT_VNET_INET(curvnet);
+	int hashsize;
+
+	V_blackhole = 0;
+	V_tcp_delack_enabled = 1;
+	V_drop_synfin = 0;
+	V_tcp_do_rfc3042 = 1;
+	V_tcp_do_rfc3390 = 1;
+	V_tcp_do_ecn = 0;
+	V_tcp_ecn_maxretries = 1;
+	V_tcp_insecure_rst = 0;
+	V_tcp_do_autorcvbuf = 1;
+	V_tcp_autorcvbuf_inc = 16*1024;
+	V_tcp_autorcvbuf_max = 256*1024;
+
+	V_tcp_mssdflt = TCP_MSS;
+#ifdef INET6
+	V_tcp_v6mssdflt = TCP6_MSS;
+#endif
+	V_tcp_minmss = TCP_MINMSS;
+	V_tcp_do_rfc1323 = 1;
+	V_icmp_may_rst = 1;
+	V_tcp_isn_reseed_interval = 0;
+	V_tcp_inflight_enable = 1;
+	V_tcp_inflight_min = 6144;
+	V_tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
+	V_tcp_inflight_stab = 20;
+
+	V_path_mtu_discovery = 1;
+	V_ss_fltsz = 1;
+	V_ss_fltsz_local = 4;
+	V_tcp_do_newreno = 1;
+	V_tcp_do_tso = 1;
+	V_tcp_do_autosndbuf = 1;
+	V_tcp_autosndbuf_inc = 8*1024;
+	V_tcp_autosndbuf_max = 256*1024;
+
+	V_nolocaltimewait = 0;
+
+	V_tcp_do_sack = 1;
+	V_tcp_sack_maxholes = 128;
+	V_tcp_sack_globalmaxholes = 65536;
+	V_tcp_sack_globalholes = 0;
 
-	int hashsize = TCBHASHSIZE;
 	tcp_delacktime = TCPTV_DELACK;
 	tcp_keepinit = TCPTV_KEEP_INIT;
 	tcp_keepidle = TCPTV_KEEP_IDLE;
@@ -315,6 +358,7 @@ tcp_init(void)
 	INP_INFO_LOCK_INIT(&V_tcbinfo, "tcp");
 	LIST_INIT(&V_tcb);
 	V_tcbinfo.ipi_listhead = &V_tcb;
+	hashsize = TCBHASHSIZE;
 	TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize);
 	if (!powerof2(hashsize)) {
 		printf("WARNING: TCB hash size not a power of 2\n");
@@ -1429,10 +1473,12 @@ tcp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
 #define ISN_STATIC_INCREMENT 4096
 #define ISN_RANDOM_INCREMENT (4096 - 1)
 
+#ifdef VIMAGE_GLOBALS
 static u_char isn_secret[32];
 static int isn_last_reseed;
 static u_int32_t isn_offset, isn_offset_old;
 static MD5_CTX isn_ctx;
+#endif
 
 tcp_seq
 tcp_new_isn(struct tcpcb *tp)
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index c9f3b4f..a69b0b2 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -98,12 +98,17 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
-static int tcp_syncookies = 1;
+#ifdef VIMAGE_GLOBALS
+static struct tcp_syncache tcp_syncache;
+static int tcp_syncookies;
+static int tcp_syncookiesonly;
+int tcp_sc_rst_sock_fail;
+#endif
+
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW,
     &tcp_syncookies, 0,
     "Use TCP SYN cookies if the syncache overflows");
 
-static int tcp_syncookiesonly = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_RW,
     &tcp_syncookiesonly, 0,
     "Use only TCP SYN cookies");
@@ -142,8 +147,6 @@ static struct syncache
 #define TCP_SYNCACHE_HASHSIZE		512
 #define TCP_SYNCACHE_BUCKETLIMIT	30
 
-static struct tcp_syncache tcp_syncache;
-
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, syncache, CTLFLAG_RW, 0, "TCP SYN cache");
 
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
@@ -166,7 +169,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
     rexmtlimit, CTLFLAG_RW,
     tcp_syncache.rexmt_limit, 0, "Limit on SYN/ACK retransmissions");
 
-int	tcp_sc_rst_sock_fail = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
      rst_on_sock_fail, CTLFLAG_RW,
      tcp_sc_rst_sock_fail, 0, "Send reset on socket allocation failure");
@@ -223,6 +225,10 @@ syncache_init(void)
 	INIT_VNET_INET(curvnet);
 	int i;
 
+	V_tcp_syncookies = 1;
+	V_tcp_syncookiesonly = 0;
+	V_tcp_sc_rst_sock_fail = 1;
+
 	V_tcp_syncache.cache_count = 0;
 	V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
 	V_tcp_syncache.bucket_limit = TCP_SYNCACHE_BUCKETLIMIT;
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 83b8aa6..a97b4a2 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -102,7 +102,10 @@ static int	maxtcptw;
  * queue pointers in each tcptw structure, are protected using the global
  * tcbinfo lock, which must be held over queue iteration and modification.
  */
+#ifdef VIMAGE_GLOBALS
 static TAILQ_HEAD(, tcptw)	twq_2msl;
+int	nolocaltimewait;
+#endif
 
 static void	tcp_tw_2msl_reset(struct tcptw *, int);
 static void	tcp_tw_2msl_stop(struct tcptw *);
@@ -147,7 +150,6 @@ SYSCTL_PROC(_net_inet_tcp, OID_AUTO, maxtcptw, CTLTYPE_INT|CTLFLAG_RW,
     &maxtcptw, 0, sysctl_maxtcptw, "IU",
     "Maximum number of compressed TCP TIME_WAIT entries");
 
-static int	nolocaltimewait = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, nolocaltimewait, CTLFLAG_RW,
     &nolocaltimewait, 0,
     "Do not create compressed TCP TIME_WAIT entries for local connections");
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index 40f060b..3bef611 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h
@@ -517,7 +517,26 @@ extern	int path_mtu_discovery;
 extern	int ss_fltsz;
 extern	int ss_fltsz_local;
 
+extern	int blackhole;
+extern	int drop_synfin;
+extern	int tcp_do_rfc3042;
+extern	int tcp_do_rfc3390;
+extern	int tcp_insecure_rst;
+extern	int tcp_do_autorcvbuf;
+extern	int tcp_autorcvbuf_inc;
+extern	int tcp_autorcvbuf_max;
+
+extern	int tcp_do_tso;
+extern	int tcp_do_autosndbuf;
+extern	int tcp_autosndbuf_inc;
+extern	int tcp_autosndbuf_max;
+
+extern	int nolocaltimewait;
+
 extern	int tcp_do_sack;		/* SACK enabled/disabled */
+extern	int tcp_sack_maxholes;
+extern	int tcp_sack_globalmaxholes;
+extern	int tcp_sack_globalholes;
 extern	int tcp_sc_rst_sock_fail;	/* RST on sock alloc failure */
 extern	int tcp_do_ecn;			/* TCP ECN enabled/disabled */
 extern	int tcp_ecn_maxretries;
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index cbfdb6b..9409235 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -95,6 +95,10 @@ __FBSDID("$FreeBSD$");
  * Per RFC 768, August, 1980.
  */
 
+#ifdef VIMAGE_GLOBALS
+int	udp_blackhole;
+#endif
+
 /*
  * BSD 4.2 defaulted the udp checksum to be off.  Turning off udp checksums
  * removes the only data integrity mechanism for packets and malformed
@@ -109,7 +113,6 @@ int	udp_log_in_vain = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW,
     &udp_log_in_vain, 0, "Log all incoming UDP packets");
 
-int	udp_blackhole = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW, &udp_blackhole, 0,
     "Do not send port unreachables for refused connects");
 
@@ -129,14 +132,16 @@ u_long	udp_recvspace = 40 * (1024 +
 SYSCTL_ULONG(_net_inet_udp, UDPCTL_RECVSPACE, recvspace, CTLFLAG_RW,
     &udp_recvspace, 0, "Maximum space for incoming UDP datagrams");
 
+#ifdef VIMAGE_GLOBALS
 struct inpcbhead	udb;		/* from udp_var.h */
 struct inpcbinfo	udbinfo;
+struct udpstat		udpstat;	/* from udp_var.h */
+#endif
 
 #ifndef UDBHASHSIZE
 #define	UDBHASHSIZE	128
 #endif
 
-struct udpstat	udpstat;	/* from udp_var.h */
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_udp, UDPCTL_STATS, stats,
     CTLFLAG_RW, udpstat, udpstat,
     "UDP statistics (struct udpstat, netinet/udp_var.h)");
@@ -167,6 +172,8 @@ udp_init(void)
 {
 	INIT_VNET_INET(curvnet);
 
+	V_udp_blackhole = 0;
+
 	INP_INFO_LOCK_INIT(&V_udbinfo, "udp");
 	LIST_INIT(&V_udb);
 	V_udbinfo.ipi_listhead = &V_udb;
diff --git a/sys/netinet/vinet.h b/sys/netinet/vinet.h
index 1f16dfd..961e772 100644
--- a/sys/netinet/vinet.h
+++ b/sys/netinet/vinet.h
@@ -319,6 +319,8 @@ struct vnet_inet {
 #define	V_tcp_sack_maxholes	VNET_INET(tcp_sack_maxholes)
 #define	V_tcp_sc_rst_sock_fail	VNET_INET(tcp_sc_rst_sock_fail)
 #define	V_tcp_syncache		VNET_INET(tcp_syncache)
+#define	V_tcp_syncookies	VNET_INET(tcp_syncookies)
+#define	V_tcp_syncookiesonly	VNET_INET(tcp_syncookiesonly)
 #define	V_tcp_v6mssdflt		VNET_INET(tcp_v6mssdflt)
 #define	V_tcpstat		VNET_INET(tcpstat)
 #define	V_twq_2msl		VNET_INET(twq_2msl)