Build on Jeff Roberson's linker-set based dynamic per-CPU allocator

(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator.  Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...).  This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.

Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack.  Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory.  Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.

Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy.  Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address.  When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.

This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.

Bump __FreeBSD_version and update UPDATING.

Portions submitted by:  bz
Reviewed by:            bz, zec
Discussed with:         gnn, jamie, jeff, jhb, julian, sam
Suggested by:           peter
Approved by:            re (kensmith)

21 files changed, 274 insertions, 713 deletions

diff --git a/sys/netipsec/ah_var.h b/sys/netipsec/ah_var.h
index 5a8c06e..974cc6c 100644
--- a/sys/netipsec/ah_var.h
+++ b/sys/netipsec/ah_var.h
@@ -71,8 +71,11 @@ struct ahstat {
 };
 
 #ifdef _KERNEL
-extern	int ah_enable;
-extern	int ah_cleartos;
-extern	struct ahstat ahstat;
+VNET_DECLARE(int, ah_enable);
+#define	V_ah_enable		VNET_GET(ah_enable)
+VNET_DECLARE(int, ah_cleartos);
+#define	V_ah_cleartos		VNET_GET(ah_cleartos)
+VNET_DECLARE(struct ahstat, ahstat);
+#define	V_ahstat		VNET_GET(ahstat)
 #endif /* _KERNEL */
 #endif /*_NETIPSEC_AH_VAR_H_*/
diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h
index 278b996..66fcd39 100644
--- a/sys/netipsec/esp_var.h
+++ b/sys/netipsec/esp_var.h
@@ -72,7 +72,9 @@ struct espstat {
 };
 
 #ifdef _KERNEL
-extern	int esp_enable;
-extern	struct espstat espstat;
+VNET_DECLARE(int, esp_enable);
+#define	V_esp_enable	VNET_GET(esp_enable)
+VNET_DECLARE(struct espstat, espstat);
+#define	V_espstat	VNET_GET(espstat)
 #endif /* _KERNEL */
 #endif /*_NETIPSEC_ESP_VAR_H_*/
diff --git a/sys/netipsec/ipcomp_var.h b/sys/netipsec/ipcomp_var.h
index 6a506bb..d70c6a2 100644
--- a/sys/netipsec/ipcomp_var.h
+++ b/sys/netipsec/ipcomp_var.h
@@ -61,7 +61,9 @@ struct ipcompstat {
 };
 
 #ifdef _KERNEL
-extern	int ipcomp_enable;
-extern	struct ipcompstat ipcompstat;
+VNET_DECLARE(int, ipcomp_enable);
+#define	V_ipcomp_enable		VNET_GET(ipcomp_enable)
+VNET_DECLARE(struct ipcompstat, ipcompstat);
+#define	V_ipcompstat		VNET_GET(ipcompstat)
 #endif /* _KERNEL */
 #endif /*_NETIPSEC_IPCOMP_VAR_H_*/
diff --git a/sys/netipsec/ipip_var.h b/sys/netipsec/ipip_var.h
index 3d4ee15..a620b72 100644
--- a/sys/netipsec/ipip_var.h
+++ b/sys/netipsec/ipip_var.h
@@ -59,9 +59,9 @@ struct ipipstat
 };
 
 #ifdef _KERNEL
-extern	int ipip_allow;
-#ifdef VIMAGE_GLOBALS
-extern	struct ipipstat ipipstat;
-#endif
+VNET_DECLARE(int, ipip_allow);
+#define	V_ipip_allow		VNET_GET(ipip_allow)
+VNET_DECLARE(struct ipipstat, ipipstat);
+#define	V_ipipstat		VNET_GET(ipipstat)
 #endif /* _KERNEL */
 #endif /* _NETINET_IPIP_H_ */
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index dabd5b6..4a7001e 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -57,6 +57,7 @@
 
 #include <net/if.h>
 #include <net/route.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -97,30 +98,25 @@
 
 #include <opencrypto/cryptodev.h>
 
-#ifndef VIMAGE
-#ifndef VIMAGE_GLOBALS
-struct vnet_ipsec vnet_ipsec_0;
-#endif
-#endif
-
-static int ipsec_iattach(const void *);
-#ifdef VIMAGE
-static int ipsec_idetach(const void *);
+#ifdef IPSEC_DEBUG
+VNET_DEFINE(int, ipsec_debug) = 1;
+#else
+VNET_DEFINE(int, ipsec_debug) = 0;
 #endif
-
-#ifdef VIMAGE_GLOBALS
 /* NB: name changed so netstat doesn't use it. */
-struct ipsecstat ipsec4stat;
-struct secpolicy ip4_def_policy;
-int ipsec_debug;
-int ip4_ah_offsetmask;
-int ip4_ipsec_dfbit;
-int ip4_esp_trans_deflev;
-int ip4_esp_net_deflev;
-int ip4_ah_trans_deflev;
-int ip4_ah_net_deflev;
-int ip4_ipsec_ecn;
-int ip4_esp_randpad;
+VNET_DEFINE(struct ipsecstat, ipsec4stat);
+VNET_DEFINE(int, ip4_ah_offsetmask) = 0;	/* maybe IP_DF? */
+/* DF bit on encap. 0: clear 1: set 2: copy */
+VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
+VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(struct secpolicy, ip4_def_policy);
+/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+VNET_DEFINE(int, ip4_ipsec_ecn) = 0;
+VNET_DEFINE(int, ip4_esp_randpad) = -1;
+
 /*
  * Crypto support requirements:
  *
@@ -128,80 +124,74 @@ int ip4_esp_randpad;
  * -1	require software support
  *  0	take anything
  */
-int	crypto_support;
-#endif /* VIMAGE_GLOBALS */
+VNET_DEFINE(int, crypto_support) = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
 
 SYSCTL_DECL(_net_inet_ipsec);
 
 /* net.inet.ipsec */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY,
-	def_policy, CTLFLAG_RW, ip4_def_policy.policy,  0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy,
+	CTLFLAG_RW, &VNET_NAME(ip4_def_policy).policy, 0,
 	"IPsec default policy.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV,
-	esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
+	CTLFLAG_RW, &VNET_NAME(ip4_esp_trans_deflev), 0,
 	"Default ESP transport mode level");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV,
-	esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
+	CTLFLAG_RW, &VNET_NAME(ip4_esp_net_deflev), 0,
 	"Default ESP tunnel mode level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV,
-	ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
+	CTLFLAG_RW, &VNET_NAME(ip4_ah_trans_deflev), 0,
 	"AH transfer mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
-	ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
+	CTLFLAG_RW, &VNET_NAME(ip4_ah_net_deflev), 0,
 	"AH tunnel mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
-	ah_cleartos, CTLFLAG_RW,	ah_cleartos,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
+	CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
 	"If set clear type-of-service field when doing AH computation.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
-	ah_offsetmask, CTLFLAG_RW,	ip4_ah_offsetmask,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask,
+	CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0,
 	"If not set clear offset field mask when doing AH computation.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT,
-	dfbit, CTLFLAG_RW,	ip4_ipsec_dfbit,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit,
+	CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0,
 	"Do not fragment bit on encap.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN,
-	ecn, CTLFLAG_RW,	ip4_ipsec_ecn,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn,
+	CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0,
 	"Explicit Congestion Notification handling.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG,
-	debug, CTLFLAG_RW,	ipsec_debug,	0,
+SYSCTL_VNET_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug,
+	CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0,
 	"Enable IPsec debugging output when set.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
-	crypto_support,	CTLFLAG_RW,	crypto_support,0,
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, crypto_support,
+	CTLFLAG_RW, &VNET_NAME(crypto_support), 0,
 	"Crypto driver selection.");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
-	ipsecstats,	CTLFLAG_RD,	ipsec4stat, ipsecstat,	
+SYSCTL_VNET_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats,
+	CTLFLAG_RD, &VNET_NAME(ipsec4stat), ipsecstat,	
 	"IPsec IPv4 statistics.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
-	filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel,  0,
-	"If set filter packets from an IPsec tunnel.");
 
 #ifdef REGRESSION
-#ifdef VIMAGE_GLOBALS
-int ipsec_replay;
-int ipsec_integrity;
-#endif
 /*
  * When set to 1, IPsec will send packets with the same sequence number.
  * This allows to verify if the other side has proper replay attacks detection.
  */
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
-	CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
+VNET_DEFINE(int, ipsec_replay) = 0;
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_replay,
+	CTLFLAG_RW, &VNET_NAME(ipsec_replay), 0,
+	"Emulate replay attack");
 /*
  * When set 1, IPsec will send packets with corrupted HMAC.
  * This allows to verify if the other side properly detects modified packets.
  */
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
-	CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack");
+VNET_DEFINE(int, ipsec_integrity) = 0;
+SYSCTL_VNET_INT(_net_inet_ipsec, OID_AUTO, test_integrity,
+	CTLFLAG_RW, &VNET_NAME(ipsec_integrity), 0,
+	"Emulate man-in-the-middle attack");
 #endif
 
 #ifdef INET6 
-#ifdef VIMAGE_GLOBALS
-struct ipsecstat ipsec6stat;
-int ip6_esp_trans_deflev;
-int ip6_esp_net_deflev;
-int ip6_ah_trans_deflev;
-int ip6_ah_net_deflev;
-int ip6_ipsec_ecn;
-#endif
+VNET_DEFINE(struct ipsecstat, ipsec6stat);
+VNET_DEFINE(int, ip6_esp_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_esp_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE;
+VNET_DEFINE(int, ip6_ipsec_ecn) = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 
 SYSCTL_DECL(_net_inet6_ipsec6);
 
@@ -210,33 +200,30 @@ SYSCTL_DECL(_net_inet6_ipsec6);
 SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
     0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics.");
 #endif /* COMPAT_KAME */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
-	def_policy, CTLFLAG_RW,	ip4_def_policy.policy,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy, CTLFLAG_RW,
+	&VNET_NAME(ip4_def_policy).policy, 0,
 	"IPsec default policy.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, 
-	esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, 
+	esp_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_trans_deflev),	0,
 	"Default ESP transport mode level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, 
-	esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, 
+	esp_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_esp_net_deflev),	0,
 	"Default ESP tunnel mode level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, 
-	ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, 
+	ah_trans_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_trans_deflev),	0,
 	"AH transfer mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, 
-	ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, 
+	ah_net_deflev, CTLFLAG_RW, &VNET_NAME(ip6_ah_net_deflev),	0,
 	"AH tunnel mode default level.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN,
-	ecn, CTLFLAG_RW, ip6_ipsec_ecn,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
+	ecn, CTLFLAG_RW, &VNET_NAME(ip6_ipsec_ecn),	0,
 	"Explicit Congestion Notification handling.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
-	debug, CTLFLAG_RW,	ipsec_debug,	0,
+SYSCTL_VNET_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_RW,
+	&VNET_NAME(ipsec_debug), 0,
 	"Enable IPsec debugging output when set.");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
-	ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
+SYSCTL_VNET_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
+	ipsecstats, CTLFLAG_RD, &VNET_NAME(ipsec6stat), ipsecstat,
 	"IPsec IPv6 statistics.");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO,
-	filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel,  0,
-	"If set filter packets from an IPsec tunnel.");
 #endif /* INET6 */
 
 static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
@@ -253,72 +240,22 @@ static void vshiftl __P((unsigned char *, int, int));
 
 MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
 
-#ifndef VIMAGE_GLOBALS
+static int ipsec_iattach(const void *);
+#ifdef VIMAGE
 static const vnet_modinfo_t vnet_ipsec_modinfo = {
 	.vmi_id		= VNET_MOD_IPSEC,
 	.vmi_name	= "ipsec",
-	.vmi_size	= sizeof(struct vnet_ipsec),
 	.vmi_dependson	= VNET_MOD_INET,	/* XXX revisit - INET6 ? */
 	.vmi_iattach	= ipsec_iattach,
-#ifdef VIMAGE
-	.vmi_idetach	= ipsec_idetach
-#endif
 };
-#endif /* !VIMAGE_GLOBALS */
-
-void
-ipsec_init(void)
-{
-	INIT_VNET_IPSEC(curvnet);
-
-#ifdef IPSEC_DEBUG
-	V_ipsec_debug = 1;
-#else
-	V_ipsec_debug = 0;
 #endif
 
-	V_ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
-	V_ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
-	V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
-	V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
-	V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
-	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
-	V_ip4_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
-	V_ip4_esp_randpad = -1;
-#ifdef IPSEC_FILTERTUNNEL
-	V_ip4_ipsec_filtertunnel = 1;
-#else
-	V_ip4_ipsec_filtertunnel = 0;
-#endif
-
-	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
-
-#ifdef REGRESSION
-	V_ipsec_replay = 0;
-	V_ipsec_integrity = 0;
-#endif
-
-#ifdef INET6 
-	V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
-	V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
-	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
-	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
-	V_ip6_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
-#ifdef IPSEC_FILTERTUNNEL
-	V_ip6_ipsec6_filtertunnel = 1;
-#else
-	V_ip6_ipsec6_filtertunnel = 0;
-#endif
-#endif
-}
-
 /*
  * Return a held reference to the default SP.
  */
 static struct secpolicy *
 key_allocsp_default(const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -384,7 +321,6 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir)
 static struct secpolicy *
 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct inpcbpolicy *pcbsp;
 	struct secpolicy *currsp = NULL;	/* Policy on socket. */
 	struct secpolicy *sp;
@@ -482,7 +418,6 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error)
 struct secpolicy *
 ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicyindex spidx;
 	struct secpolicy *sp;
 
@@ -515,7 +450,6 @@ struct secpolicy *
 ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
     struct inpcb *inp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	*error = 0;
@@ -587,7 +521,6 @@ ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp)
 static int
 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct ip *ip = NULL;
 	struct ip ipbuf;
 	u_int v;
@@ -778,7 +711,6 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
 static void
 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int off, nxt;
 	struct tcphdr th;
 	struct udphdr uh;
@@ -891,7 +823,6 @@ ipsec_delpcbpolicy(struct inpcbpolicy *p)
 int
 ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct inpcbpolicy *new;
 
 	/* Sanity check. */
@@ -1030,7 +961,6 @@ static int
 ipsec_set_policy_internal(struct secpolicy **pcb_sp, int optname,
     caddr_t request, size_t len, struct ucred *cred)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *newsp = NULL;
 	int error;
@@ -1079,7 +1009,6 @@ int
 ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request,
     size_t len, struct ucred *cred)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
 
@@ -1111,7 +1040,6 @@ int
 ipsec_get_policy(struct inpcb *inp, caddr_t request, size_t len,
     struct mbuf **mp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_x_policy *xpl;
 	struct secpolicy *pcb_sp;
 
@@ -1182,7 +1110,6 @@ ipsec_delete_pcbpolicy(struct inpcb *inp)
 u_int
 ipsec_get_reqlevel(struct ipsecrequest *isr)
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int level = 0;
 	u_int esp_trans_deflev, esp_net_deflev;
 	u_int ah_trans_deflev, ah_net_deflev;
@@ -1287,7 +1214,6 @@ ipsec_get_reqlevel(struct ipsecrequest *isr)
 int
 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	int need_auth;
 
@@ -1390,7 +1316,6 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
 int
 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int result;
 
 	result = ipsec46_in_reject(m, inp);
@@ -1409,7 +1334,6 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
 int
 ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int result;
 
 	result = ipsec46_in_reject(m, inp);
@@ -1428,7 +1352,6 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
 static size_t
 ipsec_hdrsiz_internal(struct secpolicy *sp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	size_t size;
 
@@ -1491,7 +1414,6 @@ ipsec_hdrsiz_internal(struct secpolicy *sp)
 size_t
 ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int error;
 	size_t size;
@@ -1591,7 +1513,6 @@ ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
 int
 ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreplay *replay;
 	u_int32_t diff;
 	int fr;
@@ -1791,10 +1712,10 @@ ipsec_dumpmbuf(struct mbuf *m)
 }
 
 static void
-ipsec_attach(void)
+ipsec_attach(const void *unused __unused)
 {
 
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
 	vnet_mod_register(&vnet_ipsec_modinfo);
 #else
 	ipsec_iattach(NULL);
@@ -1804,7 +1725,6 @@ ipsec_attach(void)
 static int
 ipsec_iattach(const void *unused __unused)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
 	V_ip4_def_policy.refcnt = 1;			/* NB: disallow free. */
@@ -1812,16 +1732,6 @@ ipsec_iattach(const void *unused __unused)
 	return (0);
 }
 
-#ifdef VIMAGE
-static int
-ipsec_idetach(const void *unused __unused)
-{
-
-	/* XXX revisit this! */
-
-	return (0);
-}
-#endif
 SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL);
 
 
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index c869ec8..03df7bc 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -332,25 +332,40 @@ struct ipsec_history {
 	u_int32_t ih_spi;
 };
 
-extern int ipsec_debug;
-#ifdef REGRESSION
-extern int ipsec_replay;
-extern int ipsec_integrity;
-#endif
+VNET_DECLARE(int, ipsec_debug);
+#define	V_ipsec_debug		VNET_GET(ipsec_debug)
+VNET_DECLARE(struct ipsecstat, ipsec4stat);
+#define	V_ipsec4stat		VNET_GET(ipsec4stat)
+VNET_DECLARE(int, ip4_ah_offsetmask);
+#define	V_ip4_ah_offsetmask	VNET_GET(ip4_ah_offsetmask)
+VNET_DECLARE(int, ip4_ipsec_dfbit);
+#define	V_ip4_ipsec_dfbit	VNET_GET(ip4_ipsec_dfbit)
+VNET_DECLARE(int, ip4_esp_trans_deflev);
+#define	V_ip4_esp_trans_deflev	VNET_GET(ip4_esp_trans_deflev)
+VNET_DECLARE(int, ip4_esp_net_deflev);
+#define	V_ip4_esp_net_deflev	VNET_GET(ip4_esp_net_deflev)
+VNET_DECLARE(int, ip4_ah_trans_deflev);
+#define	V_ip4_ah_trans_deflev	VNET_GET(ip4_ah_trans_deflev)
+VNET_DECLARE(int, ip4_ah_net_deflev);
+#define	V_ip4_ah_net_deflev	VNET_GET(ip4_ah_net_deflev)
+VNET_DECLARE(struct secpolicy, ip4_def_policy);
+#define	V_ip4_def_policy	VNET_GET(ip4_def_policy)
+VNET_DECLARE(int, ip4_ipsec_ecn);
+#define	V_ip4_ipsec_ecn		VNET_GET(ip4_ipsec_ecn)
+VNET_DECLARE(int, ip4_esp_randpad);
+#define	V_ip4_esp_randpad	VNET_GET(ip4_esp_randpad)
+
+VNET_DECLARE(int, crypto_support);
+#define	V_crypto_support	VNET_GET(crypto_support)
 
-extern struct ipsecstat ipsec4stat;
-extern struct secpolicy ip4_def_policy;
-extern int ip4_esp_trans_deflev;
-extern int ip4_esp_net_deflev;
-extern int ip4_ah_trans_deflev;
-extern int ip4_ah_net_deflev;
 extern int ip4_ah_cleartos;
-extern int ip4_ah_offsetmask;
-extern int ip4_ipsec_dfbit;
-extern int ip4_ipsec_ecn;
-extern int ip4_ipsec_filtertunnel;
-extern int ip4_esp_randpad;
-extern int crypto_support;
+
+#ifdef REGRESSION
+VNET_DECLARE(int, ipsec_replay);
+#define	V_ipsec_replay		VNET_GET(ipsec_replay)
+VNET_DECLARE(int, ipsec_integrity);
+#define	V_ipsec_integrity	VNET_GET(ipsec_integrity)
+#endif
 
 #define ipseclog(x)	do { if (V_ipsec_debug) log x; } while (0)
 /* for openbsd compatibility */
@@ -360,7 +375,6 @@ extern	struct ipsecrequest *ipsec_newisr(void);
 extern	void ipsec_delisr(struct ipsecrequest *);
 
 struct tdb_ident;
-extern void ipsec_init(void);
 extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int));
 struct inpcb;
 extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int,
@@ -434,8 +448,6 @@ extern char *ipsec_dump_policy __P((caddr_t, char *));
 
 extern const char *ipsec_strerror __P((void));
 
-#else
-#include <netipsec/vipsec.h>
 #endif /* ! KERNEL */
 
 #endif /* _NETIPSEC_IPSEC_H_ */
diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h
index 2f49463..a04cbec 100644
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@@ -41,13 +41,18 @@
 #include <netipsec/keydb.h>
 
 #ifdef _KERNEL
-extern struct ipsecstat ipsec6stat;
-extern int ip6_esp_trans_deflev;
-extern int ip6_esp_net_deflev;
-extern int ip6_ah_trans_deflev;
-extern int ip6_ah_net_deflev;
-extern int ip6_ipsec_ecn;
-extern int ip6_ipsec6_filtertunnel;
+VNET_DECLARE(struct ipsecstat, ipsec6stat);
+#define	V_ipsec6stat		VNET_GET(ipsec6stat)
+VNET_DECLARE(int, ip6_esp_trans_deflev);
+#define	V_ip6_esp_trans_deflev	VNET_GET(ip6_esp_trans_deflev)
+VNET_DECLARE(int, ip6_esp_net_deflev);
+#define	V_ip6_esp_net_deflev	VNET_GET(ip6_esp_net_deflev)
+VNET_DECLARE(int, ip6_ah_trans_deflev);
+#define	V_ip6_ah_trans_deflev	VNET_GET(ip6_ah_trans_deflev)
+VNET_DECLARE(int, ip6_ah_net_deflev);
+#define	V_ip6_ah_net_deflev	VNET_GET(ip6_ah_net_deflev)
+VNET_DECLARE(int, ip6_ipsec_ecn);
+#define	V_ip6_ipsec_ecn		VNET_GET(ip6_ipsec_ecn)
 
 struct inpcb;
 
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 4ec169b..78f023a 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -60,6 +60,7 @@
 #include <net/pfil.h>
 #include <net/route.h>
 #include <net/netisr.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -74,7 +75,6 @@
 #include <netinet/in_pcb.h>
 #ifdef INET6
 #include <netinet/icmp6.h>
-#include <netinet6/vinet6.h>
 #endif
 
 #include <netipsec/ipsec.h>
@@ -116,7 +116,6 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
 static int
 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 {
-	INIT_VNET_IPSEC(curvnet);
 	union sockaddr_union dst_address;
 	struct secasvar *sav;
 	u_int32_t spi;
@@ -295,7 +294,6 @@ int
 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 			int skip, int protoff, struct m_tag *mt)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int prot, af, sproto;
 	struct ip *ip;
 	struct m_tag *mtag;
@@ -518,7 +516,6 @@ ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto)
 int
 ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int l = 0;
 	int protoff;
 	struct ip6_ext ip6e;
@@ -569,8 +566,6 @@ int
 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
     struct m_tag *mt)
 {
-	INIT_VNET_INET6(curvnet);
-	INIT_VNET_IPSEC(curvnet);
 	int prot, af, sproto;
 	struct ip6_hdr *ip6;
 	struct m_tag *mtag;
diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c
index d813c92..1b92881 100644
--- a/sys/netipsec/ipsec_mbuf.c
+++ b/sys/netipsec/ipsec_mbuf.c
@@ -39,6 +39,8 @@
 #include <sys/vimage.h>
 
 #include <net/route.h>
+#include <net/vnet.h>
+
 #include <netinet/in.h>
 
 #include <netipsec/ipsec.h>
@@ -54,7 +56,6 @@
 struct mbuf *
 m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m;
 	unsigned remain;
 
@@ -158,7 +159,6 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
 caddr_t
 m_pad(struct mbuf *m, int n)
 {
-	INIT_VNET_IPSEC(curvnet);
 	register struct mbuf *m0, *m1;
 	register int len, pad;
 	caddr_t retval;
@@ -231,7 +231,6 @@ m_pad(struct mbuf *m, int n)
 int
 m_striphdr(struct mbuf *m, int skip, int hlen)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m1;
 	int roff;
 
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index b953786..f689fb2 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -47,6 +47,7 @@
 #include <net/if.h>
 #include <net/pfil.h>
 #include <net/route.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -65,7 +66,6 @@
 #include <netinet/in_pcb.h>
 #ifdef INET6
 #include <netinet/icmp6.h>
-#include <netinet6/vinet6.h>
 #endif
 
 #include <netipsec/ipsec.h>
@@ -96,7 +96,6 @@
 int
 ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct tdb_ident *tdbi;
 	struct m_tag *mtag;
 	struct secasvar *sav;
@@ -264,7 +263,6 @@ ipsec_nextisr(
 {
 #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
 			    isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 
 	IPSECREQUEST_LOCK_ASSERT(isr);
@@ -408,7 +406,6 @@ ipsec4_process_packet(
 	int flags,
 	int tunalready)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasindex saidx;
 	struct secasvar *sav;
 	struct ip *ip;
@@ -622,7 +619,6 @@ ipsec6_output_trans(
 	int flags,
 	int *tun)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct ipsecrequest *isr;
 	struct secasindex saidx;
 	int error = 0;
@@ -690,7 +686,6 @@ bad:
 static int
 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct ip6_hdr *oip6;
 	struct ip6_hdr *ip6;
 	size_t plen;
@@ -760,8 +755,6 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
 int
 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
 {
-	INIT_VNET_INET6(curvnet);
-	INIT_VNET_IPSEC(curvnet);
 	struct ip6_hdr *ip6;
 	struct ipsecrequest *isr;
 	struct secasindex saidx;
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 3dc6878..07a5945 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -61,6 +61,7 @@
 #include <net/if.h>
 #include <net/route.h>
 #include <net/raw_cb.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -75,11 +76,9 @@
 
 #ifdef INET
 #include <netinet/in_pcb.h>
-#include <netinet/vinet.h>
 #endif
 #ifdef INET6
 #include <netinet6/in6_pcb.h>
-#include <netinet6/vinet6.h>
 #endif /* INET6 */
 
 #include <net/pfkeyv2.h>
@@ -99,7 +98,6 @@
 
 /* randomness */
 #include <sys/random.h>
-#include <sys/vimage.h>
 
 #define FULLMASK	0xff
 #define	_BITS(bytes)	((bytes) << 3)
@@ -115,31 +113,37 @@
  *   field hits 0 (= no external reference other than from SA header.
  */
 
-#ifdef VIMAGE_GLOBALS
-u_int32_t key_debug_level;
-static u_int key_spi_trycnt;
-static u_int32_t key_spi_minval;
-static u_int32_t key_spi_maxval;
-static u_int32_t policy_id;
-static u_int key_int_random;
-static u_int key_larval_lifetime;
-static int key_blockacq_count;
-static int key_blockacq_lifetime;
-static int key_preferred_oldsa;
-
-static u_int32_t acq_seq;
-
-static int ipsec_esp_keymin;
-static int ipsec_esp_auth;
-static int ipsec_ah_keymin;
-
-static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX];	/* SPD */
-static LIST_HEAD(_sahtree, secashead) sahtree;			/* SAD */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
-static LIST_HEAD(_acqtree, secacq) acqtree;		/* acquiring list */
-static LIST_HEAD(_spacqtree, secspacq) spacqtree;	/* SP acquiring list */
-#endif /* VIMAGE_GLOBALS */
-
+VNET_DEFINE(u_int32_t, key_debug_level) = 0;
+static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
+#define	V_key_spi_trycnt	VNET_GET(key_spi_trycnt)
+static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
+#define	V_key_spi_minval	VNET_GET(key_spi_minval)
+static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff;	/* XXX */
+#define	V_key_spi_maxval	VNET_GET(key_spi_maxval)
+static VNET_DEFINE(u_int32_t, policy_id) = 0;
+#define	V_policy_id		VNET_GET(policy_id)
+/*interval to initialize randseed,1(m)*/
+static VNET_DEFINE(u_int, key_int_random) = 60;
+#define	V_key_int_random	VNET_GET(key_int_random)
+/* interval to expire acquiring, 30(s)*/
+static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
+#define	V_key_larval_lifetime	VNET_GET(key_larval_lifetime)
+/* counter for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_count) = 10;
+#define	V_key_blockacq_count	VNET_GET(key_blockacq_count)
+/* lifetime for blocking SADB_ACQUIRE.*/
+static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
+#define	V_key_blockacq_lifetime	VNET_GET(key_blockacq_lifetime)
+/* preferred old sa rather than new sa.*/
+static VNET_DEFINE(int, key_preferred_oldsa) = 1;
+#define	V_key_preferred_oldsa	VNET_GET(key_preferred_oldsa)
+
+static VNET_DEFINE(u_int32_t, acq_seq) = 0;
+#define	V_acq_seq		VNET_GET(acq_seq)
+
+								/* SPD */
+static VNET_DEFINE(LIST_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]);
+#define	V_sptree		VNET_GET(sptree)
 static struct mtx sptree_lock;
 #define	SPTREE_LOCK_INIT() \
 	mtx_init(&sptree_lock, "sptree", \
@@ -149,6 +153,8 @@ static struct mtx sptree_lock;
 #define	SPTREE_UNLOCK()	mtx_unlock(&sptree_lock)
 #define	SPTREE_LOCK_ASSERT()	mtx_assert(&sptree_lock, MA_OWNED)
 
+static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree);	/* SAD */
+#define	V_sahtree		VNET_GET(sahtree)
 static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_INIT() \
 	mtx_init(&sahtree_lock, "sahtree", \
@@ -159,6 +165,8 @@ static struct mtx sahtree_lock;
 #define	SAHTREE_LOCK_ASSERT()	mtx_assert(&sahtree_lock, MA_OWNED)
 
 							/* registed list */
+static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
+#define	V_regtree		VNET_GET(regtree)
 static struct mtx regtree_lock;
 #define	REGTREE_LOCK_INIT() \
 	mtx_init(&regtree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -167,6 +175,8 @@ static struct mtx regtree_lock;
 #define	REGTREE_UNLOCK()	mtx_unlock(&regtree_lock)
 #define	REGTREE_LOCK_ASSERT()	mtx_assert(&regtree_lock, MA_OWNED)
 
+static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */
+#define	V_acqtree		VNET_GET(acqtree)
 static struct mtx acq_lock;
 #define	ACQ_LOCK_INIT() \
 	mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -175,6 +185,9 @@ static struct mtx acq_lock;
 #define	ACQ_UNLOCK()		mtx_unlock(&acq_lock)
 #define	ACQ_LOCK_ASSERT()	mtx_assert(&acq_lock, MA_OWNED)
 
+							/* SP acquiring list */
+static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
+#define	V_spacqtree		VNET_GET(spacqtree)
 static struct mtx spacq_lock;
 #define	SPACQ_LOCK_INIT() \
 	mtx_init(&spacq_lock, "spacqtree", \
@@ -257,56 +270,63 @@ static const int maxsize[] = {
 	sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */
 };
 
+static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
+#define	V_ipsec_esp_keymin	VNET_GET(ipsec_esp_keymin)
+static VNET_DEFINE(int, ipsec_esp_auth) = 0;
+#define	V_ipsec_esp_auth	VNET_GET(ipsec_esp_auth)
+static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
+#define	V_ipsec_ah_keymin	VNET_GET(ipsec_ah_keymin)
+
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
 #endif
 
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL,	debug,
-	CTLFLAG_RW, key_debug_level,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_DEBUG_LEVEL,	debug,
+	CTLFLAG_RW, &VNET_NAME(key_debug_level),	0,	"");
 
 /* max count of trial for the decision of spi value */
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt,
-	CTLFLAG_RW, key_spi_trycnt,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt,
+	CTLFLAG_RW, &VNET_NAME(key_spi_trycnt),	0,	"");
 
 /* minimum spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE,
-	spi_minval,	CTLFLAG_RW, key_spi_minval,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MIN_VALUE,
+	spi_minval,	CTLFLAG_RW, &VNET_NAME(key_spi_minval),	0,	"");
 
 /* maximun spi value to allocate automatically. */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE,
-	spi_maxval,	CTLFLAG_RW, key_spi_maxval,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_SPI_MAX_VALUE,
+	spi_maxval,	CTLFLAG_RW, &VNET_NAME(key_spi_maxval),	0,	"");
 
 /* interval to initialize randseed */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT,
-	int_random,	CTLFLAG_RW, key_int_random,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_RANDOM_INT,
+	int_random,	CTLFLAG_RW, &VNET_NAME(key_int_random),	0,	"");
 
 /* lifetime for larval SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME,
-	larval_lifetime, CTLFLAG_RW, key_larval_lifetime,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_LARVAL_LIFETIME,
+	larval_lifetime, CTLFLAG_RW, &VNET_NAME(key_larval_lifetime),	0, "");
 
 /* counter for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT,
-	blockacq_count,	CTLFLAG_RW, key_blockacq_count,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_COUNT,
+	blockacq_count,	CTLFLAG_RW, &VNET_NAME(key_blockacq_count),	0, "");
 
 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME,
-	blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime,	0, "");
+SYSCTL_VNET_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME,
+	blockacq_lifetime, CTLFLAG_RW, &VNET_NAME(key_blockacq_lifetime), 0, "");
 
 /* ESP auth */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH,	esp_auth,
-	CTLFLAG_RW, ipsec_esp_auth,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_AUTH,	esp_auth,
+	CTLFLAG_RW, &VNET_NAME(ipsec_esp_auth),	0,	"");
 
 /* minimum ESP key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN,
-	esp_keymin, CTLFLAG_RW, ipsec_esp_keymin,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_ESP_KEYMIN,
+	esp_keymin, CTLFLAG_RW, &VNET_NAME(ipsec_esp_keymin),	0,	"");
 
 /* minimum AH key length */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
-	CTLFLAG_RW, ipsec_ah_keymin,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_AH_KEYMIN,	ah_keymin,
+	CTLFLAG_RW, &VNET_NAME(ipsec_ah_keymin),	0,	"");
 
 /* perfered old SA rather than new SA */
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA,
-	preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa,	0,	"");
+SYSCTL_VNET_INT(_net_key, KEYCTL_PREFERED_OLDSA,
+	preferred_oldsa, CTLFLAG_RW, &VNET_NAME(key_preferred_oldsa),	0, "");
 
 #define __LIST_CHAINED(elm) \
 	(!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
@@ -579,7 +599,6 @@ key_addref(struct secpolicy *sp)
 int
 key_havesp(u_int dir)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
 		LIST_FIRST(&V_sptree[dir]) != NULL : 1);
@@ -595,7 +614,6 @@ key_havesp(u_int dir)
 struct secpolicy *
 key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -652,7 +670,6 @@ key_allocsp2(u_int32_t spi,
 	     u_int dir,
 	     const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(dst != NULL, ("null dst"));
@@ -715,7 +732,6 @@ key_gettunnel(const struct sockaddr *osrc,
 	      const struct sockaddr *idst,
 	      const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	const int dir = IPSEC_DIR_INBOUND;
 	struct ipsecrequest *r1, *r2, *p;
@@ -791,7 +807,6 @@ done:
 int
 key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int level;
 	int error;
 
@@ -887,7 +902,6 @@ static struct secasvar *
 key_allocsa_policy(const struct secasindex *saidx)
 {
 #define	N(a)	_ARRAYLEN(a)
-	INIT_VNET_IPSEC(curvnet);	
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize;
@@ -935,7 +949,6 @@ key_allocsa_policy(const struct secasindex *saidx)
 static struct secasvar *
 key_do_allocsa_policy(struct secashead *sah, u_int state)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav, *candidate, *d;
 
 	/* initilize */
@@ -1081,7 +1094,6 @@ key_allocsa(
 	u_int32_t spi,
 	const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, arraysize, state;
@@ -1160,7 +1172,6 @@ done:
 void
 _key_freesp(struct secpolicy **spp, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp = *spp;
 
 	IPSEC_ASSERT(sp != NULL, ("null sp"));
@@ -1186,7 +1197,6 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag)
 void
 key_freeso(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	IPSEC_ASSERT(so != NULL, ("null so"));
 
 	switch (so->so_proto->pr_domain->dom_family) {
@@ -1237,7 +1247,6 @@ key_freesp_so(struct secpolicy **sp)
 void
 key_freesav(struct secasvar **psav, const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav = *psav;
 
 	IPSEC_ASSERT(sav != NULL, ("null sav"));
@@ -1296,7 +1305,6 @@ key_delsp(struct secpolicy *sp)
 static struct secpolicy *
 key_getsp(struct secpolicyindex *spidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
@@ -1323,7 +1331,6 @@ key_getsp(struct secpolicyindex *spidx)
 static struct secpolicy *
 key_getspbyid(u_int32_t id)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 
 	SPTREE_LOCK();
@@ -1353,7 +1360,6 @@ done:
 struct secpolicy *
 key_newsp(const char* where, int tag)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp = NULL;
 
 	newsp = (struct secpolicy *)
@@ -1388,7 +1394,6 @@ key_msg2sp(xpl0, len, error)
 	size_t len;
 	int *error;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *newsp;
 
 	IPSEC_ASSERT(xpl0 != NULL, ("null xpl0"));
@@ -1786,7 +1791,6 @@ key_spdadd(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0, *xpl;
 	struct sadb_lifetime *lft = NULL;
@@ -2019,7 +2023,6 @@ key_spdadd(so, m, mhp)
 static u_int32_t
 key_getnewspid()
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newid = 0;
 	int count = V_key_spi_trycnt;	/* XXX */
 	struct secpolicy *sp;
@@ -2061,7 +2064,6 @@ key_spddelete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct sadb_x_policy *xpl0;
 	struct secpolicyindex spidx;
@@ -2170,7 +2172,6 @@ key_spddelete2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 
@@ -2263,7 +2264,6 @@ key_spdget(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
@@ -2315,7 +2315,6 @@ int
 key_spdacquire(sp)
 	struct secpolicy *sp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secspacq *newspacq;
 
@@ -2378,7 +2377,6 @@ key_spdflush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secpolicy *sp;
 	u_int dir;
@@ -2431,7 +2429,6 @@ key_spddump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp;
 	int cnt;
 	u_int dir;
@@ -2704,7 +2701,6 @@ static struct secashead *
 key_newsah(saidx)
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *newsah;
 
 	IPSEC_ASSERT(saidx != NULL, ("null saidx"));
@@ -2733,7 +2729,6 @@ static void
 key_delsah(sah)
 	struct secashead *sah;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav, *nextsav;
 	u_int stateidx;
 	int zombie = 0;
@@ -2795,7 +2790,6 @@ key_newsav(m, mhp, sah, errp, where, tag)
 	const char* where;
 	int tag;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *newsav;
 	const struct sadb_sa *xsa;
 
@@ -2962,7 +2956,6 @@ static struct secashead *
 key_getsah(saidx)
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 
 	SAHTREE_LOCK();
@@ -2989,7 +2982,6 @@ key_checkspidup(saidx, spi)
 	struct secasindex *saidx;
 	u_int32_t spi;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 
@@ -3026,7 +3018,6 @@ key_getsavbyspi(sah, spi)
 	struct secashead *sah;
 	u_int32_t spi;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	u_int stateidx, state;
 
@@ -3070,7 +3061,6 @@ key_setsaval(sav, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error = 0;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -3306,7 +3296,6 @@ key_setsaval(sav, m, mhp)
 static int
 key_mature(struct secasvar *sav)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error;
 
 	/* check SPI value */
@@ -3782,7 +3771,6 @@ key_setsadbxport(u_int16_t port, u_int16_t type)
 u_int16_t 
 key_portfromsaddr(struct sockaddr *sa)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	switch (sa->sa_family) {
 #ifdef INET
@@ -3807,7 +3795,6 @@ key_portfromsaddr(struct sockaddr *sa)
 static void
 key_porttosaddr(struct sockaddr *sa, u_int16_t port)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	switch (sa->sa_family) {
 #ifdef INET
@@ -3868,7 +3855,6 @@ struct seckey *
 key_dup_keymsg(const struct sadb_key *src, u_int len,
 	       struct malloc_type *type)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct seckey *dst;
 	dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
 	if (dst != NULL) {
@@ -3902,7 +3888,6 @@ static struct seclifetime *
 key_dup_lifemsg(const struct sadb_lifetime *src,
 		 struct malloc_type *type)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct seclifetime *dst = NULL;
 
 	dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), 
@@ -3928,7 +3913,6 @@ key_ismyaddr(sa)
 	struct sockaddr *sa;
 {
 #ifdef INET
-	INIT_VNET_INET(curvnet);
 	struct sockaddr_in *sin;
 	struct in_ifaddr *ia;
 #endif
@@ -3976,7 +3960,6 @@ static int
 key_ismyaddr6(sin6)
 	struct sockaddr_in6 *sin6;
 {
-	INIT_VNET_INET6(curvnet);
 	struct in6_ifaddr *ia;
 #if 0
 	struct in6_multi *in6m;
@@ -4325,7 +4308,6 @@ key_bbcmp(const void *a1, const void *a2, u_int bits)
 static void
 key_flush_spd(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	static u_int16_t sptree_scangen = 0;
 	u_int16_t gen = sptree_scangen++;
 	struct secpolicy *sp;
@@ -4373,7 +4355,6 @@ restart:
 static void
 key_flush_sad(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
 
@@ -4511,7 +4492,6 @@ key_flush_sad(time_t now)
 static void
 key_flush_acq(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq, *nextacq;
 
 	/* ACQ tree */
@@ -4530,7 +4510,6 @@ key_flush_acq(time_t now)
 static void
 key_flush_spacq(time_t now)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq, *nextacq;
 
 	/* SP ACQ tree */
@@ -4678,7 +4657,6 @@ key_getspi(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *newsah;
@@ -4913,7 +4891,6 @@ key_do_getnewspi(spirange, saidx)
 	struct sadb_spirange *spirange;
 	struct secasindex *saidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int32_t newspi;
 	u_int32_t min, max;
 	int count = V_key_spi_trycnt;
@@ -4995,7 +4972,6 @@ key_update(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 #ifdef IPSEC_NAT_T
@@ -5286,7 +5262,6 @@ key_add(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 #ifdef IPSEC_NAT_T
@@ -5501,7 +5476,6 @@ key_setident(sah, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_ident *idsrc, *iddst;
 	int idsrclen, iddstlen;
 
@@ -5624,7 +5598,6 @@ key_delete(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -5770,7 +5743,6 @@ static int
 key_delete_all(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp,
     u_int16_t proto)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -5894,7 +5866,6 @@ key_get(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_sa *sa0;
 	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
@@ -6037,7 +6008,6 @@ key_getcomb_setlifetime(comb)
 static struct mbuf *
 key_getcomb_esp()
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct enc_xform *algo;
 	struct mbuf *result = NULL, *m, *n;
@@ -6116,7 +6086,6 @@ key_getsizes_ah(
 	u_int16_t* min,
 	u_int16_t* max)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	*min = *max = ah->keysize;
 	if (ah->keysize == 0) {
@@ -6142,7 +6111,6 @@ key_getsizes_ah(
 static struct mbuf *
 key_getcomb_ah()
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_comb *comb;
 	struct auth_hash *algo;
 	struct mbuf *m;
@@ -6303,7 +6271,6 @@ key_getprop(saidx)
 static int
 key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *result = NULL, *m;
 	struct secacq *newacq;
 	u_int8_t satype;
@@ -6474,7 +6441,6 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
 static struct secacq *
 key_newacq(const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *newacq;
 
 	/* get new entry */
@@ -6501,7 +6467,6 @@ key_newacq(const struct secasindex *saidx)
 static struct secacq *
 key_getacq(const struct secasindex *saidx)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -6518,7 +6483,6 @@ static struct secacq *
 key_getacqbyseq(seq)
 	u_int32_t seq;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secacq *acq;
 
 	ACQ_LOCK();
@@ -6535,7 +6499,6 @@ static struct secspacq *
 key_newspacq(spidx)
 	struct secpolicyindex *spidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	/* get new entry */
@@ -6562,7 +6525,6 @@ static struct secspacq *
 key_getspacq(spidx)
 	struct secpolicyindex *spidx;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secspacq *acq;
 
 	SPACQ_LOCK();
@@ -6597,7 +6559,6 @@ key_acquire2(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	const struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
 	struct secashead *sah;
@@ -6756,7 +6717,6 @@ key_register(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg, *newreg = 0;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
@@ -6911,7 +6871,6 @@ key_register(so, m, mhp)
 void
 key_freereg(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secreg *reg;
 	int i;
 
@@ -7087,7 +7046,6 @@ key_flush(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *newmsg;
 	struct secashead *sah, *nextsah;
 	struct secasvar *sav, *nextsav;
@@ -7171,7 +7129,6 @@ key_dump(so, m, mhp)
 	struct mbuf *m;
 	const struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int16_t proto;
@@ -7352,7 +7309,6 @@ key_parse(m, so)
 	struct mbuf *m;
 	struct socket *so;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *msg;
 	struct sadb_msghdr mh;
 	u_int orglen;
@@ -7624,7 +7580,6 @@ key_align(m, mhp)
 	struct mbuf *m;
 	struct sadb_msghdr *mhp;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *n;
 	struct sadb_ext *ext;
 	size_t off, end;
@@ -7792,26 +7747,8 @@ key_validate_ext(ext, len)
 void
 key_init(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int i;
 
-	V_key_debug_level = 0;
-	V_key_spi_trycnt = 1000;
-	V_key_spi_minval = 0x100;
-	V_key_spi_maxval = 0x0fffffff;	/* XXX */
-	V_policy_id = 0;
-	V_key_int_random = 60;		/*interval to initialize randseed,1(m)*/
-	V_key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
-	V_key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
-	V_key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
-	V_key_preferred_oldsa = 1;	/* preferred old sa rather than new sa*/
-
-	V_acq_seq = 0;
-
-	V_ipsec_esp_keymin = 256;
-	V_ipsec_esp_auth = 0;
-	V_ipsec_ah_keymin = 128;
-
 	for (i = 0; i < IPSEC_DIR_MAX; i++)
 		LIST_INIT(&V_sptree[i]);
 
@@ -7850,7 +7787,6 @@ key_init(void)
 void
 key_destroy(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp, *nextsp;
 	struct secspacq *acq, *nextacq;
 	struct secashead *sah, *nextsah;
@@ -7984,7 +7920,6 @@ void
 key_sa_routechange(dst)
 	struct sockaddr *dst;
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secashead *sah;
 	struct route *ro;
 
diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c
index a13a88a..da5dd75 100644
--- a/sys/netipsec/key_debug.c
+++ b/sys/netipsec/key_debug.c
@@ -44,9 +44,9 @@
 #include <sys/queue.h>
 #endif
 #include <sys/socket.h>
-#include <sys/vimage.h>
 
 #include <net/route.h>
+#include <net/vnet.h>
 
 #include <netipsec/key_var.h>
 #include <netipsec/key_debug.h>
diff --git a/sys/netipsec/key_debug.h b/sys/netipsec/key_debug.h
index 6ca0fe2..3082cc3 100644
--- a/sys/netipsec/key_debug.h
+++ b/sys/netipsec/key_debug.h
@@ -56,7 +56,8 @@
 #define KEYDEBUG(lev,arg) \
 	do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0)
 
-extern u_int32_t key_debug_level;
+VNET_DECLARE(u_int32_t, key_debug_level);
+#define	V_key_debug_level	VNET_GET(key_debug_level)
 #endif /*_KERNEL*/
 
 struct sadb_msg;
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
index bb7cb00..1c79421 100644
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -67,22 +67,25 @@
 
 #include <machine/stdarg.h>
 
-#ifdef VIMAGE_GLOBALS
-static struct key_cb key_cb;
-struct pfkeystat pfkeystat;
-#endif
+struct key_cb {
+	int key_count;
+	int any_count;
+};
+static VNET_DEFINE(struct key_cb, key_cb);
+#define	V_key_cb		VNET_GET(key_cb)
 
-static struct sockaddr key_src = { 2, PF_KEY };
+static struct sockaddr key_src = { 2, PF_KEY, };
 
 static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
 
+VNET_DEFINE(struct pfkeystat, pfkeystat);
+
 /*
  * key_output()
  */
 int
 key_output(struct mbuf *m, struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct sadb_msg *msg;
 	int len, error = 0;
 
@@ -136,7 +139,6 @@ key_sendup0(rp, m, promisc)
 	struct mbuf *m;
 	int promisc;
 {
-	INIT_VNET_IPSEC(curvnet);
 	int error;
 
 	if (promisc) {
@@ -181,7 +183,6 @@ key_sendup(so, msg, len, target)
 	u_int len;
 	int target;	/*target of the resulting message*/
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m, *n, *mprev;
 	int tlen;
 
@@ -270,8 +271,6 @@ key_sendup_mbuf(so, m, target)
 	struct mbuf *m;
 	int target;
 {
-	INIT_VNET_NET(curvnet);
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *n;
 	struct keycb *kp;
 	int sendup;
@@ -389,7 +388,6 @@ key_abort(struct socket *so)
 static int
 key_attach(struct socket *so, int proto, struct thread *td)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct keycb *kp;
 	int error;
 
@@ -464,7 +462,6 @@ key_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 static void
 key_detach(struct socket *so)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct keycb *kp = (struct keycb *)sotorawcb(so);
 
 	KASSERT(kp != NULL, ("key_detach: kp == NULL"));
@@ -567,10 +564,8 @@ struct protosw keysw[] = {
 static void
 key_init0(void)
 {
-	INIT_VNET_IPSEC(curvnet);
 
 	bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
-	ipsec_init();
 	key_init();
 }
 
diff --git a/sys/netipsec/keysock.h b/sys/netipsec/keysock.h
index 1097206..bcc274b 100644
--- a/sys/netipsec/keysock.h
+++ b/sys/netipsec/keysock.h
@@ -58,11 +58,6 @@ struct pfkeystat {
 	u_quad_t sockerr;		/* # of socket related errors */
 };
 
-struct key_cb {
-	int key_count;
-	int any_count;
-};
-
 #define KEY_SENDUP_ONE		0
 #define KEY_SENDUP_ALL		1
 #define KEY_SENDUP_REGISTERED	2
@@ -74,7 +69,8 @@ struct keycb {
 	int kp_registered;	/* registered socket */
 };
 
-extern struct pfkeystat pfkeystat;
+VNET_DECLARE(struct pfkeystat, pfkeystat);
+#define	V_pfkeystat		VNET_GET(pfkeystat)
 
 extern int key_output(struct mbuf *m, struct socket *so);
 extern int key_usrreq __P((struct socket *,
diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h
deleted file mode 100644
index 4a643e5..0000000
--- a/sys/netipsec/vipsec.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (c) 2007-2008 University of Zagreb
- * Copyright (c) 2007-2008 FreeBSD Foundation
- *
- * This software was developed by the University of Zagreb and the
- * FreeBSD Foundation under sponsorship by the Stichting NLnet and the
- * FreeBSD Foundation.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-#ifndef _NETIPSEC_VIPSEC_H_
-#define _NETIPSEC_VIPSEC_H_
-
-#include <sys/protosw.h>
-
-#include <net/pfkeyv2.h>
-#include <net/raw_cb.h>
-
-#include <netipsec/ah_var.h>
-#include <netipsec/esp_var.h>
-#include <netipsec/ipcomp_var.h>
-#include <netipsec/ipip_var.h>
-#include <netipsec/ipsec.h>
-#include <netipsec/keysock.h>
-
-struct vnet_ipsec {
-	int			_ipsec_debug;
-	struct ipsecstat	_ipsec4stat;
-	struct secpolicy 	_ip4_def_policy;
-
-	int			_ip4_esp_trans_deflev;
-	int			_ip4_esp_net_deflev;
-	int			_ip4_ah_trans_deflev;
-	int			_ip4_ah_net_deflev;
-	int			_ip4_ah_offsetmask;
-	int			_ip4_ipsec_dfbit;
-	int			_ip4_ipsec_ecn;
-	int			_ip4_ipsec_filtertunnel;
-	int			_ip4_esp_randpad;
-
-	int			_ipsec_replay;
-	int			_ipsec_integrity;
-	int			_crypto_support;
-
-	u_int32_t		_key_debug_level;	
-	u_int			_key_spi_trycnt;
-	u_int32_t		_key_spi_minval;
-	u_int32_t		_key_spi_maxval;  
-	u_int32_t		_policy_id;
-	u_int			_key_int_random;   
-	u_int			_key_larval_lifetime; 
-	int			_key_blockacq_count;
-	int			_key_blockacq_lifetime;
-	int			_key_preferred_oldsa;
-	u_int32_t		_acq_seq;
-
-	int			_esp_enable;
-	struct espstat		_espstat;
-	int			_esp_max_ivlen;
-	int			_ipsec_esp_keymin;
-	int			_ipsec_esp_auth;
-	int			_ipsec_ah_keymin;
-	int			_ipip_allow;
-	struct ipipstat		_ipipstat;
-
-	struct ipsecstat	_ipsec6stat;
-	int			_ip6_esp_trans_deflev;
-	int			_ip6_esp_net_deflev;
-	int			_ip6_ah_trans_deflev;
-	int			_ip6_ah_net_deflev;
-	int			_ip6_ipsec_ecn;
-	int			_ip6_ipsec6_filtertunnel;
-
-	int			_ah_enable;
-	int			_ah_cleartos;
-	struct ahstat		_ahstat;
-
-	int			_ipcomp_enable;
-	struct ipcompstat	_ipcompstat;
-
-	struct pfkeystat	_pfkeystat;
-	struct key_cb		_key_cb;
-	LIST_HEAD(, secpolicy)	_sptree[IPSEC_DIR_MAX];
-	LIST_HEAD(, secashead)	_sahtree;
-	LIST_HEAD(, secreg)	_regtree[SADB_SATYPE_MAX + 1];
-	LIST_HEAD(, secacq)	_acqtree;
-	LIST_HEAD(, secspacq)	_spacqtree;
-};
-
-/* Size guard. See sys/vimage.h. */
-VIMAGE_CTASSERT(SIZEOF_vnet_ipsec, sizeof(struct vnet_ipsec));
-
-#ifndef VIMAGE
-#ifndef VIMAGE_GLOBALS
-extern struct vnet_ipsec vnet_ipsec_0;
-#endif
-#endif
-
-/*
- * Symbol translation macros
- */
-#define	INIT_VNET_IPSEC(vnet) \
-	INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec)
-
-#define	VNET_IPSEC(sym)	VSYM(vnet_ipsec, sym)
-
-#define	V_acq_seq			VNET_IPSEC(acq_seq)
-#define	V_acqtree			VNET_IPSEC(acqtree)
-#define	V_ah_cleartos			VNET_IPSEC(ah_cleartos)
-#define	V_ah_enable			VNET_IPSEC(ah_enable)
-#define	V_ahstat			VNET_IPSEC(ahstat)
-#define	V_crypto_support		VNET_IPSEC(crypto_support)
-#define	V_esp_enable			VNET_IPSEC(esp_enable)
-#define	V_esp_max_ivlen			VNET_IPSEC(esp_max_ivlen)
-#define	V_espstat			VNET_IPSEC(espstat)
-#define	V_ip4_ah_net_deflev		VNET_IPSEC(ip4_ah_net_deflev)
-#define	V_ip4_ah_offsetmask		VNET_IPSEC(ip4_ah_offsetmask)
-#define	V_ip4_ah_trans_deflev		VNET_IPSEC(ip4_ah_trans_deflev)
-#define	V_ip4_def_policy		VNET_IPSEC(ip4_def_policy)
-#define	V_ip4_esp_net_deflev		VNET_IPSEC(ip4_esp_net_deflev)
-#define	V_ip4_esp_randpad		VNET_IPSEC(ip4_esp_randpad)
-#define	V_ip4_esp_trans_deflev		VNET_IPSEC(ip4_esp_trans_deflev)
-#define	V_ip4_ipsec_dfbit		VNET_IPSEC(ip4_ipsec_dfbit)
-#define	V_ip4_ipsec_ecn			VNET_IPSEC(ip4_ipsec_ecn)
-#define	V_ip4_ipsec_filtertunnel	VNET_IPSEC(ip4_ipsec_filtertunnel)
-#define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
-#define	V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
-#define	V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
-#define	V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
-#define	V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
-#define	V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
-#define	V_ip6_ipsec6_filtertunnel	VNET_IPSEC(ip6_ipsec6_filtertunnel)
-#define	V_ipcomp_enable			VNET_IPSEC(ipcomp_enable)
-#define	V_ipcompstat			VNET_IPSEC(ipcompstat)
-#define	V_ipip_allow			VNET_IPSEC(ipip_allow)
-#define	V_ipipstat			VNET_IPSEC(ipipstat)
-#define	V_ipsec4stat			VNET_IPSEC(ipsec4stat)
-#define	V_ipsec6stat			VNET_IPSEC(ipsec6stat)
-#define	V_ipsec_ah_keymin		VNET_IPSEC(ipsec_ah_keymin)
-#define	V_ipsec_debug			VNET_IPSEC(ipsec_debug)
-#define	V_ipsec_esp_auth		VNET_IPSEC(ipsec_esp_auth)
-#define	V_ipsec_esp_keymin		VNET_IPSEC(ipsec_esp_keymin)
-#define	V_ipsec_integrity		VNET_IPSEC(ipsec_integrity)
-#define	V_ipsec_replay			VNET_IPSEC(ipsec_replay)
-#define	V_key_blockacq_count		VNET_IPSEC(key_blockacq_count)
-#define	V_key_blockacq_lifetime		VNET_IPSEC(key_blockacq_lifetime)
-#define	V_key_cb			VNET_IPSEC(key_cb)
-#define	V_key_debug_level		VNET_IPSEC(key_debug_level)
-#define	V_key_int_random		VNET_IPSEC(key_int_random)
-#define	V_key_larval_lifetime		VNET_IPSEC(key_larval_lifetime)
-#define	V_key_preferred_oldsa		VNET_IPSEC(key_preferred_oldsa)
-#define	V_key_spi_maxval		VNET_IPSEC(key_spi_maxval)	
-#define	V_key_spi_minval		VNET_IPSEC(key_spi_minval)
-#define	V_key_spi_trycnt		VNET_IPSEC(key_spi_trycnt)
-#define	V_pfkeystat			VNET_IPSEC(pfkeystat)
-#define	V_policy_id			VNET_IPSEC(policy_id)
-#define	V_regtree			VNET_IPSEC(regtree)
-#define	V_sahtree			VNET_IPSEC(sahtree)
-#define	V_spacqtree			VNET_IPSEC(spacqtree)
-#define	V_sptree			VNET_IPSEC(sptree)
-
-#endif /* !_NETIPSEC_VIPSEC_H_ */
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 07d7001..658c92c 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -49,6 +49,7 @@
 #include <sys/vimage.h>
 
 #include <net/if.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -73,17 +74,6 @@
 
 #include <opencrypto/cryptodev.h>
 
-static int ah_iattach(const void *);
-
-#ifndef VIMAGE_GLOBALS
-static const vnet_modinfo_t vnet_ah_modinfo = {
-	.vmi_id		= VNET_MOD_AH,
-	.vmi_name	= "ipsec_ah",
-	.vmi_dependson	= VNET_MOD_IPSEC,
-	.vmi_iattach	= ah_iattach
-};
-#endif /* !VIMAGE_GLOBALS */
-
 /*
  * Return header size in bytes.  The old protocol did not support
  * the replay counter; the new protocol always includes the counter.
@@ -99,19 +89,17 @@ static const vnet_modinfo_t vnet_ah_modinfo = {
 #define	AUTHSIZE(sav) \
 	((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
 
-#ifdef VIMAGE_GLOBALS
-int	ah_enable;
-int	ah_cleartos;
-struct	ahstat ahstat;
-#endif
+VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
+VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
+VNET_DEFINE(struct ahstat, ahstat);
 
 SYSCTL_DECL(_net_inet_ah);
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
-	ah_enable,	CTLFLAG_RW,	ah_enable,	0, "");
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
-	ah_cleartos,	CTLFLAG_RW,	ah_cleartos,	0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	ahstat,	ahstat, "");
+SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
+	ah_enable,	CTLFLAG_RW,	&VNET_NAME(ah_enable),	0, "");
+SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
+	ah_cleartos,	CTLFLAG_RW,	&VNET_NAME(ah_cleartos), 0, "");
+SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	&VNET_NAME(ahstat), ahstat, "");
 
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 
@@ -173,7 +161,6 @@ ah_hdrsiz(struct secasvar *sav)
 int
 ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct auth_hash *thash;
 	int keylen;
 
@@ -228,7 +215,6 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
 static int
 ah_init(struct secasvar *sav, struct xformsw *xsp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct cryptoini cria;
 	int error;
 
@@ -263,7 +249,6 @@ ah_zeroize(struct secasvar *sav)
 static int
 ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct mbuf *m = *m0;
 	unsigned char *ptr;
 	int off, count;
@@ -568,7 +553,6 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 static int
 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct auth_hash *ahx;
 	struct tdb_ident *tdbi;
 	struct tdb_crypto *tc;
@@ -738,7 +722,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 static int
 ah_input_cb(struct cryptop *crp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int rplen, error, skip, protoff;
 	unsigned char calc[AH_ALEN_MAX];
 	struct mbuf *m;
@@ -901,7 +884,6 @@ ah_output(
 	int skip,
 	int protoff)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	struct auth_hash *ahx;
 	struct cryptodesc *crda;
@@ -1128,7 +1110,6 @@ bad:
 static int
 ah_output_cb(struct cryptop *crp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int skip, protoff, error;
 	struct tdb_crypto *tc;
 	struct ipsecrequest *isr;
@@ -1232,21 +1213,6 @@ ah_attach(void)
 {
 
 	xform_register(&ah_xformsw);
-#ifndef VIMAGE_GLOBALS
-	vnet_mod_register(&vnet_ah_modinfo);
-#else
-	ah_iattach(NULL);
-#endif
 }
 
-static int
-ah_iattach(const void *unused __unused)
-{
-	INIT_VNET_IPSEC(curvnet);
-
-	V_ah_enable = 1;	/* control flow of packets with AH */
-	V_ah_cleartos = 1;	/* clear ip_tos when doing AH calc */
-
-	return (0);
-}
 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 6508c14..afb9d2d 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -49,6 +49,7 @@
 #include <sys/vimage.h>
 
 #include <net/if.h>
+#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -76,30 +77,21 @@
 #include <opencrypto/cryptodev.h>
 #include <opencrypto/xform.h>
 
-#ifdef VIMAGE_GLOBALS
-struct	espstat espstat;
-static	int esp_max_ivlen;		/* max iv length over all algorithms */
-int	esp_enable;
-#endif
+VNET_DEFINE(int, esp_enable) = 1;
+VNET_DEFINE(struct espstat, espstat);
 
 SYSCTL_DECL(_net_inet_esp);
-SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
-	esp_enable,	CTLFLAG_RW,	esp_enable,	0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	espstat,	espstat, "");
+SYSCTL_VNET_INT(_net_inet_esp, OID_AUTO,
+	esp_enable,	CTLFLAG_RW,	&VNET_NAME(esp_enable),	0, "");
+SYSCTL_VNET_STRUCT(_net_inet_esp, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	&VNET_NAME(espstat),	espstat, "");
+
+/* max iv length over all algorithms */
+static VNET_DEFINE(int, esp_max_ivlen) = 0;
+#define	V_esp_max_ivlen	VNET_GET(esp_max_ivlen)
 
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
-static int esp_iattach(const void *);
-
-#ifndef VIMAGE_GLOBALS
-static const vnet_modinfo_t vnet_esp_modinfo = {
-	.vmi_id		= VNET_MOD_ESP,
-	.vmi_name	= "ipsec_esp",
-	.vmi_dependson	= VNET_MOD_IPSEC,
-	.vmi_iattach	= esp_iattach
-};
-#endif /* !VIMAGE_GLOBALS */
 
 /*
  * NB: this is public for use by the PF_KEY support.
@@ -134,7 +126,6 @@ esp_algorithm_lookup(int alg)
 size_t
 esp_hdrsiz(struct secasvar *sav)
 {
-	INIT_VNET_IPSEC(curvnet);
 	size_t size;
 
 	if (sav != NULL) {
@@ -169,7 +160,6 @@ esp_hdrsiz(struct secasvar *sav)
 static int
 esp_init(struct secasvar *sav, struct xformsw *xsp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct enc_xform *txform;
 	struct cryptoini cria, crie;
 	int keylen;
@@ -280,7 +270,6 @@ esp_zeroize(struct secasvar *sav)
 static int
 esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct auth_hash *esph;
 	struct enc_xform *espx;
 	struct tdb_ident *tdbi;
@@ -463,7 +452,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 static int
 esp_input_cb(struct cryptop *crp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
 	int hlen, skip, protoff, error;
 	struct mbuf *m;
@@ -667,7 +655,6 @@ esp_output(
 	int protoff
 )
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct enc_xform *espx;
 	struct auth_hash *esph;
 	int hlen, rlen, plen, padding, blks, alen, i, roff;
@@ -898,7 +885,6 @@ bad:
 static int
 esp_output_cb(struct cryptop *crp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct tdb_crypto *tc;
 	struct ipsecrequest *isr;
 	struct secasvar *sav;
@@ -1000,27 +986,10 @@ static struct xformsw esp_xformsw = {
 static void
 esp_attach(void)
 {
-
-	xform_register(&esp_xformsw);
-#ifndef VIMAGE_GLOBALS
-	vnet_mod_register(&vnet_esp_modinfo);
-#else
-	esp_iattach(NULL);
-#endif
-}
-
-static int
-esp_iattach(const void *unused __unused)
-{
-	INIT_VNET_IPSEC(curvnet);
-
 #define	MAXIV(xform)					\
 	if (xform.blocksize > V_esp_max_ivlen)		\
 		V_esp_max_ivlen = xform.blocksize	\
 
-	V_esp_enable = 1;
-	V_esp_max_ivlen = 0;
-
 	MAXIV(enc_xform_des);		/* SADB_EALG_DESCBC */
 	MAXIV(enc_xform_3des);		/* SADB_EALG_3DESCBC */
 	MAXIV(enc_xform_rijndael128);	/* SADB_X_EALG_AES */
@@ -1029,8 +998,8 @@ esp_iattach(const void *unused __unused)
 	MAXIV(enc_xform_skipjack);	/* SADB_X_EALG_SKIPJACK */
 	MAXIV(enc_xform_null);		/* SADB_EALG_NULL */
 	MAXIV(enc_xform_camellia);	/* SADB_X_EALG_CAMELLIACBC */
-#undef MAXIV
 
-	return (0);
+	xform_register(&esp_xformsw);
+#undef MAXIV
 }
 SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL);
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 8e2f1c4..2ea83e0 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -49,6 +49,8 @@
 #include <netinet/ip_var.h>
 
 #include <net/route.h>
+#include <net/vnet.h>
+
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
 
@@ -67,29 +69,25 @@
 #include <opencrypto/deflate.h>
 #include <opencrypto/xform.h>
 
-#ifdef VIMAGE_GLOBALS
-int	ipcomp_enable;
-struct	ipcompstat ipcompstat;
-#endif
+VNET_DEFINE(int, ipcomp_enable) = 0;
+VNET_DEFINE(struct ipcompstat, ipcompstat);
 
 SYSCTL_DECL(_net_inet_ipcomp);
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
-	ipcomp_enable,	CTLFLAG_RW,	ipcomp_enable,	0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	ipcompstat,	ipcompstat, "");
+SYSCTL_VNET_INT(_net_inet_ipcomp, OID_AUTO,
+	ipcomp_enable,	CTLFLAG_RW,	&VNET_NAME(ipcomp_enable),	0, "");
+SYSCTL_VNET_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	&VNET_NAME(ipcompstat),	ipcompstat, "");
 
 static int ipcomp_input_cb(struct cryptop *crp);
 static int ipcomp_output_cb(struct cryptop *crp);
-static int ipcomp_iattach(const void *);
 
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
 static const vnet_modinfo_t vnet_ipcomp_modinfo = {
 	.vmi_id		= VNET_MOD_IPCOMP,
 	.vmi_name	= "ipsec_ipcomp",
 	.vmi_dependson	= VNET_MOD_IPSEC,
-	.vmi_iattach	= ipcomp_iattach
 };
-#endif /* !VIMAGE_GLOBALS */
+#endif
 
 struct comp_algo *
 ipcomp_algorithm_lookup(int alg)
@@ -109,7 +107,6 @@ ipcomp_algorithm_lookup(int alg)
 static int
 ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct comp_algo *tcomp;
 	struct cryptoini cric;
 
@@ -150,7 +147,6 @@ ipcomp_zeroize(struct secasvar *sav)
 static int
 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct tdb_crypto *tc;
 	struct cryptodesc *crdc;
 	struct cryptop *crp;
@@ -221,7 +217,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 static int
 ipcomp_input_cb(struct cryptop *crp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct cryptodesc *crd;
 	struct tdb_crypto *tc;
 	int skip, protoff;
@@ -342,7 +337,6 @@ ipcomp_output(
 	int protoff
 )
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct secasvar *sav;
 	struct comp_algo *ipcompx;
 	int error, ralen, hlen, maxpacketsize, roff;
@@ -501,7 +495,6 @@ bad:
 static int
 ipcomp_output_cb(struct cryptop *crp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	struct tdb_crypto *tc;
 	struct ipsecrequest *isr;
 	struct secasvar *sav;
@@ -611,19 +604,9 @@ ipcomp_attach(void)
 {
 
 	xform_register(&ipcomp_xformsw);
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
 	vnet_mod_register(&vnet_ipcomp_modinfo);
-#else
-	ipcomp_iattach(NULL);
 #endif
 }
 
-static int
-ipcomp_iattach(const void *unused __unused)
-{
-	INIT_VNET_IPSEC(curvnet);
-
-	V_ipcomp_enable = 0;
-	return (0);
-}
 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index d9cf8c6..8de23ec 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -68,7 +68,6 @@
 #ifdef MROUTING
 #include <netinet/ip_mroute.h>
 #endif
-#include <netinet/vinet.h>
 
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
@@ -92,31 +91,27 @@
  * We can control the acceptance of IP4 packets by altering the sysctl
  * net.inet.ipip.allow value.  Zero means drop them, all else is acceptance.
  */
-#ifdef VIMAGE_GLOBALS
-int	ipip_allow;
-struct	ipipstat ipipstat;
-#endif
+VNET_DEFINE(int, ipip_allow) = 0;
+VNET_DEFINE(struct ipipstat, ipipstat);
 
 SYSCTL_DECL(_net_inet_ipip);
-SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO,
-	ipip_allow,	CTLFLAG_RW,	ipip_allow,	0, "");
-SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipip, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	ipipstat,	ipipstat, "");
+SYSCTL_VNET_INT(_net_inet_ipip, OID_AUTO,
+	ipip_allow,	CTLFLAG_RW,	&VNET_NAME(ipip_allow),	0, "");
+SYSCTL_VNET_STRUCT(_net_inet_ipip, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	&VNET_NAME(ipipstat),	ipipstat, "");
 
 /* XXX IPCOMP */
 #define	M_IPSEC	(M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
 
 static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp);
-static int ipe4_iattach(const void *);
 
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
 static const vnet_modinfo_t vnet_ipip_modinfo = {
 	.vmi_id		= VNET_MOD_IPIP,
 	.vmi_name	= "ipsec_ipip",
 	.vmi_dependson	= VNET_MOD_IPSEC,
-	.vmi_iattach	= ipe4_iattach
 };
-#endif /* !VIMAGE_GLOBALS */
+#endif
 
 #ifdef INET6
 /*
@@ -169,8 +164,6 @@ ip4_input(struct mbuf *m, int off)
 static void
 _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 {
-	INIT_VNET_NET(curvnet);
-	INIT_VNET_IPSEC(curvnet);
 #ifdef INET
 	register struct sockaddr_in *sin;
 #endif
@@ -424,10 +417,6 @@ ipip_output(
 	int protoff
 )
 {
-	INIT_VNET_IPSEC(curvnet);
-#ifdef INET
-	INIT_VNET_INET(curvnet);
-#endif /* INET */
 	struct secasvar *sav;
 	u_int8_t tp, otos;
 	struct secasindex *saidx;
@@ -708,15 +697,6 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
 	return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
 }
 
-static int
-ipe4_iattach(const void *unused __unused)
-{
-	INIT_VNET_IPSEC(curvnet);
-
-	V_ipip_allow = 0;
-	return (0);
-}
-
 static void
 ipe4_attach(void)
 {
@@ -730,10 +710,8 @@ ipe4_attach(void)
 	(void) encap_attach_func(AF_INET6, -1,
 		ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
 #endif
-#ifndef VIMAGE_GLOBALS
+#ifdef VIMAGE
 	vnet_mod_register(&vnet_ipip_modinfo);
-#else
-	ipe4_iattach(NULL);
 #endif
 }
 SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index 35a4d43..1fad954 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -49,6 +49,8 @@
 #include <netinet/tcp_var.h>
 
 #include <net/route.h>
+#include <net/vnet.h>
+
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
 
@@ -83,7 +85,6 @@
 static int
 tcpsignature_init(struct secasvar *sav, struct xformsw *xsp)
 {
-	INIT_VNET_IPSEC(curvnet);
 	int keylen;
 
 	if (sav->spi != htonl(TCP_SIG_SPI)) {