28 files changed, 315 insertions, 117 deletions
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index 3d1eba6..130ba0c 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -82,7 +82,12 @@ SYSCTL_DECL(_net_link_ether);
 SYSCTL_NODE(_net_link_ether, PF_INET, inet, CTLFLAG_RW, 0, "");
 
 /* timer values */
-static int arpt_keep = (20*60); /* once resolved, good for 20 more minutes */
+#ifdef VIMAGE_GLOBALS
+static int	arpt_keep; /* once resolved, good for 20 more minutes */
+static int	arp_maxtries;
+static int	useloopback; /* use loopback interface for local traffic */
+static int	arp_proxyall;
+#endif
 
 SYSCTL_INT(_net_link_ether_inet, OID_AUTO, max_age, CTLFLAG_RW, 
 	   &arpt_keep, 0, "ARP entry lifetime in seconds");
@@ -99,10 +104,6 @@ struct llinfo_arp {
 
 static struct	ifqueue arpintrq;
 
-static int	arp_maxtries = 5;
-static int	useloopback = 1; /* use loopback interface for local traffic */
-static int	arp_proxyall = 0;
-
 SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, maxtries,
 	CTLFLAG_RW, arp_maxtries, 0,
 	"ARP resolution attempts before returning error");
@@ -1076,6 +1077,12 @@ arp_ifinit2(struct ifnet *ifp, struct ifaddr *ifa, u_char *enaddr)
 static void
 arp_init(void)
 {
+	INIT_VNET_INET(curvnet);
+
+	V_arpt_keep = (20*60); /* once resolved, good for 20 more minutes */
+	V_arp_maxtries = 5;
+	V_useloopback = 1; /* use loopback interface for local traffic */
+	V_arp_proxyall = 0;
 
 	arpintrq.ifq_maxlen = 50;
 	mtx_init(&arpintrq.ifq_mtx, "arp_inq", NULL, MTX_DEF);
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index d047abe..f77434c 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -80,7 +80,9 @@ static MALLOC_DEFINE(M_IGMP, "igmp", "igmp state");
 static struct router_info	*find_rti(struct ifnet *ifp);
 static void	igmp_sendpkt(struct in_multi *, int, unsigned long);
 
+#ifdef VIMAGE_GLOBALS
 static struct igmpstat igmpstat;
+#endif
 
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_igmp, IGMPCTL_STATS,
     stats, CTLFLAG_RW, igmpstat, igmpstat, "");
@@ -92,8 +94,10 @@ SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_igmp, IGMPCTL_STATS,
  * reference counting is used.  We allow unlocked reads of router_info data
  * when accessed via an in_multi read-only.
  */
-static struct mtx igmp_mtx;
+#ifdef VIMAGE_GLOBALS
 static SLIST_HEAD(, router_info) router_info_head;
+#endif
+static struct mtx igmp_mtx;
 static int igmp_timers_are_running;
 
 /*
diff --git a/sys/netinet/in.c b/sys/netinet/in.c
index 0ce7dbd..f2d7ccb 100644
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -66,18 +66,20 @@ static int	in_ifinit(struct ifnet *,
 	    struct in_ifaddr *, struct sockaddr_in *, int);
 static void	in_purgemaddrs(struct ifnet *);
 
-static int subnetsarelocal = 0;
+#ifdef VIMAGE_GLOBALS
+static int subnetsarelocal;
+static int sameprefixcarponly;
+extern struct inpcbinfo ripcbinfo;
+extern struct inpcbinfo udbinfo;
+#endif
+
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, subnets_are_local,
 	CTLFLAG_RW, subnetsarelocal, 0,
 	"Treat all subnets as directly connected");
-static int sameprefixcarponly = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, same_prefix_carp_only,
 	CTLFLAG_RW, sameprefixcarponly, 0,
 	"Refuse to create same prefixes on different interfaces");
 
-extern struct inpcbinfo ripcbinfo;
-extern struct inpcbinfo udbinfo;
-
 /*
  * Return 1 if an internet address is for a ``local'' host
  * (one to which we have a connection).  If subnetsarelocal
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c
index 6165421..f347102 100644
--- a/sys/netinet/in_gif.c
+++ b/sys/netinet/in_gif.c
@@ -85,7 +85,9 @@ struct protosw in_gif_protosw = {
 	.pr_usrreqs =		&rip_usrreqs
 };
 
-static int ip_gif_ttl = GIF_TTL;
+#ifdef VIMAGE_GLOBALS
+extern int ip_gif_ttl;
+#endif
 SYSCTL_V_INT(V_NET, vnet_gif, _net_inet_ip, IPCTL_GIF_TTL, gifttl,
 	CTLFLAG_RW, ip_gif_ttl,	0, "");
 
diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c
index 65e6be8..6cf6d92 100644
--- a/sys/netinet/in_mcast.c
+++ b/sys/netinet/in_mcast.c
@@ -86,7 +86,9 @@ static MALLOC_DEFINE(M_IPMSOURCE, "in_msource", "IPv4 multicast source filter");
  * ip_output() to send IGMP packets while holding the lock; this probably is
  * not quite desirable.
  */
+#ifdef VIMAGE_GLOBALS
 struct in_multihead in_multihead;	/* XXX BSS initialization */
+#endif
 struct mtx in_multi_mtx;
 MTX_SYSINIT(in_multi_mtx, &in_multi_mtx, "in_multi_mtx", MTX_DEF | MTX_RECURSE);
 
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 7732133..8611bee 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -84,32 +84,34 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
+#ifdef VIMAGE_GLOBALS
 /*
  * These configure the range of local port addresses assigned to
  * "unspecified" outgoing connections/packets/whatever.
  */
-int	ipport_lowfirstauto  = IPPORT_RESERVED - 1;	/* 1023 */
-int	ipport_lowlastauto = IPPORT_RESERVEDSTART;	/* 600 */
-int	ipport_firstauto = IPPORT_EPHEMERALFIRST;	/* 10000 */
-int	ipport_lastauto  = IPPORT_EPHEMERALLAST;	/* 65535 */
-int	ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 49152 */
-int	ipport_hilastauto  = IPPORT_HILASTAUTO;		/* 65535 */
+int	ipport_lowfirstauto;
+int	ipport_lowlastauto;
+int	ipport_firstauto;
+int	ipport_lastauto;
+int	ipport_hifirstauto;
+int	ipport_hilastauto;
 
 /*
  * Reserved ports accessible only to root. There are significant
  * security considerations that must be accounted for when changing these,
  * but the security benefits can be great. Please be careful.
  */
-int	ipport_reservedhigh = IPPORT_RESERVED - 1;	/* 1023 */
-int	ipport_reservedlow = 0;
+int	ipport_reservedhigh;
+int	ipport_reservedlow;
 
 /* Variables dealing with random ephemeral port allocation. */
-int	ipport_randomized = 1;	/* user controlled via sysctl */
-int	ipport_randomcps = 10;	/* user controlled via sysctl */
-int	ipport_randomtime = 45;	/* user controlled via sysctl */
-int	ipport_stoprandom = 0;	/* toggled by ipport_tick */
+int	ipport_randomized;
+int	ipport_randomcps;
+int	ipport_randomtime;
+int	ipport_stoprandom;
 int	ipport_tcpallocs;
 int	ipport_tcplastcount;
+#endif
 
 #define RANGECHK(var, min, max) \
 	if ((var) < (min)) { (var) = (min); } \
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 9a43511..076b262 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -450,6 +450,8 @@ extern int	ipport_lastauto;
 extern int	ipport_hifirstauto;
 extern int	ipport_hilastauto;
 extern int	ipport_randomized;
+extern int	ipport_randomcps;
+extern int	ipport_randomtime;
 extern int	ipport_stoprandom;
 extern int	ipport_tcpallocs;
 extern struct callout ipport_tick_callout;
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index aac2104..8af52f2 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@@ -193,6 +193,7 @@ struct protosw inetsw[] = {
 	.pr_flags =		PR_ATOMIC|PR_ADDR|PR_LASTHDR,
 	.pr_input =		icmp_input,
 	.pr_ctloutput =		rip_ctloutput,
+	.pr_init =		icmp_init,
 	.pr_usrreqs =		&rip_usrreqs
 },
 {
diff --git a/sys/netinet/in_rmx.c b/sys/netinet/in_rmx.c
index 66b8bb3..d70aaa6 100644
--- a/sys/netinet/in_rmx.c
+++ b/sys/netinet/in_rmx.c
@@ -151,17 +151,20 @@ in_matroute(void *v_arg, struct radix_node_head *head)
 	return rn;
 }
 
-static int rtq_reallyold = 60*60;		/* one hour is "really old" */
+#ifdef VIMAGE_GLOBALS
+static int rtq_reallyold;
+static int rtq_minreallyold;
+static int rtq_toomany;
+#endif
+
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTEXPIRE, rtexpire,
     CTLFLAG_RW, rtq_reallyold, 0,
     "Default expiration time on dynamically learned routes");
 
-static int rtq_minreallyold = 10;  /* never automatically crank down to less */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTMINEXPIRE,
     rtminexpire, CTLFLAG_RW, rtq_minreallyold, 0,
     "Minimum time to attempt to hold onto dynamically learned routes");
 
-static int rtq_toomany = 128;		/* 128 cached routes is "too many" */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_RTMAXCACHE,
     rtmaxcache, CTLFLAG_RW, rtq_toomany, 0,
     "Upper limit on dynamically learned routes");
@@ -256,8 +259,10 @@ in_rtqkill(struct radix_node *rn, void *rock)
 }
 
 #define RTQ_TIMEOUT	60*10	/* run no less than once every ten minutes */
-static int rtq_timeout = RTQ_TIMEOUT;
+#ifdef VIMAGE_GLOBALS
+static int rtq_timeout;
 static struct callout rtq_timer;
+#endif
 
 static void in_rtqtimo_one(void *rock);
 
@@ -376,6 +381,11 @@ in_inithead(void **head, int off)
 	if (off == 0)		/* XXX MRT  see above */
 		return 1;	/* only do the rest for a real routing table */
 
+	V_rtq_reallyold = 60*60; /* one hour is "really old" */
+	V_rtq_minreallyold = 10; /* never automatically crank down to less */
+	V_rtq_toomany = 128;	 /* 128 cached routes is "too many" */
+	V_rtq_timeout = RTQ_TIMEOUT;
+
 	rnh = *head;
 	rnh->rnh_addaddr = in_addroute;
 	rnh->rnh_matchaddr = in_matroute;
diff --git a/sys/netinet/in_var.h b/sys/netinet/in_var.h
index 4999e90..1190826 100644
--- a/sys/netinet/in_var.h
+++ b/sys/netinet/in_var.h
@@ -138,6 +138,15 @@ do { \
 #endif
 
 /*
+ * IP datagram reassembly.
+ */
+#define	IPREASS_NHASH_LOG2	6
+#define	IPREASS_NHASH		(1 << IPREASS_NHASH_LOG2)
+#define	IPREASS_HMASK		(IPREASS_NHASH - 1)
+#define	IPREASS_HASH(x,y) \
+	(((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
+
+/*
  * This information should be part of the ifnet structure but we don't wish
  * to change that - as it might break a number of things
  */
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index bac4534..dc000cb 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -112,8 +112,10 @@ __FBSDID("$FreeBSD$");
  */
 
 /* Internal variables. */
+#ifdef VIMAGE_GLOBALS
 static struct inpcbhead divcb;
 static struct inpcbinfo divcbinfo;
+#endif
 
 static u_long	div_sendspace = DIVSNDQ;	/* XXX sysctl ? */
 static u_long	div_recvspace = DIVRCVQ;	/* XXX sysctl ? */
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 4cdfd6b..7af1758 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -106,7 +106,9 @@ __FBSDID("$FreeBSD$");
 
 #include <machine/in_cksum.h>
 
-static int ipfastforward_active = 0;
+#ifdef VIMAGE_GLOBALS
+static int ipfastforward_active;
+#endif
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, fastforwarding,
     CTLFLAG_RW, ipfastforward_active, 0, "Enable fast IP forwarding");
 
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 2487533..e631dae 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -77,47 +77,51 @@ __FBSDID("$FreeBSD$");
  * host table maintenance routines.
  */
 
-struct	icmpstat icmpstat;
+#ifdef VIMAGE_GLOBALS
+struct icmpstat	icmpstat;
+static int	icmpmaskrepl;
+static u_int	icmpmaskfake;
+static int	drop_redirect;
+static int	log_redirect;
+static int	icmplim;
+static int	icmplim_output;
+static char	reply_src[IFNAMSIZ];
+static int	icmp_rfi;
+static int	icmp_quotelen;
+static int	icmpbmcastecho;
+#endif
+
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_STATS, stats,
 	CTLFLAG_RW, icmpstat, icmpstat, "");
 
-static int	icmpmaskrepl = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_MASKREPL, maskrepl,
 	CTLFLAG_RW, icmpmaskrepl, 0,
 	"Reply to ICMP Address Mask Request packets.");
 
-static u_int	icmpmaskfake = 0;
 SYSCTL_V_UINT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, maskfake, CTLFLAG_RW,
 	icmpmaskfake, 0, "Fake reply to ICMP Address Mask Request packets.");
 
-static int	drop_redirect = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, drop_redirect,
 	CTLFLAG_RW, drop_redirect, 0, "Ignore ICMP redirects");
 
-static int	log_redirect = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, log_redirect,
 	CTLFLAG_RW, log_redirect, 0, "Log ICMP redirects to the console");
 
-static int      icmplim = 200;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_ICMPLIM, icmplim,
 	CTLFLAG_RW, icmplim, 0, "Maximum number of ICMP responses per second");
 
-static int	icmplim_output = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, icmplim_output,
 	CTLFLAG_RW, icmplim_output, 0,
 	"Enable rate limiting of ICMP responses");
 
-static char	reply_src[IFNAMSIZ];
 SYSCTL_V_STRING(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, reply_src,
 	CTLFLAG_RW, reply_src, IFNAMSIZ,
 	"icmp reply source for non-local packets.");
 
-static int	icmp_rfi = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, reply_from_interface,
 	CTLFLAG_RW, icmp_rfi, 0, "ICMP reply from incoming interface for "
 	"non-local packets");
 
-static int	icmp_quotelen = 8;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_RW,
 	icmp_quotelen, 0, "Number of bytes from original packet to "
 	"quote in ICMP reply");
@@ -126,7 +130,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, quotelen, CTLFLAG_RW,
  * ICMP broadcast echo sysctl
  */
 
-static int	icmpbmcastecho = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_icmp, OID_AUTO, bmcastecho,
 	CTLFLAG_RW, icmpbmcastecho, 0, "");
 
@@ -140,6 +143,22 @@ static void	icmp_send(struct mbuf *, struct mbuf *);
 
 extern	struct protosw inetsw[];
 
+void
+icmp_init(void)
+{
+	INIT_VNET_INET(curvnet);
+
+	V_icmpmaskrepl = 0;
+	V_icmpmaskfake = 0;
+	V_drop_redirect = 0;
+	V_log_redirect = 0;
+	V_icmplim = 200;
+	V_icmplim_output = 1;
+	V_icmp_rfi = 0;
+	V_icmp_quotelen = 8;
+	V_icmpbmcastecho = 0;
+}
+
 /*
  * Generate an error packet of type error
  * in response to bad packet ip.
diff --git a/sys/netinet/ip_icmp.h b/sys/netinet/ip_icmp.h
index e212083..a55c6fc 100644
--- a/sys/netinet/ip_icmp.h
+++ b/sys/netinet/ip_icmp.h
@@ -204,6 +204,7 @@ struct icmp {
 #ifdef _KERNEL
 void	icmp_error(struct mbuf *, int, int, n_long, int);
 void	icmp_input(struct mbuf *, int);
+void	icmp_init(void);
 int	ip_next_mtu(int, int);
 #endif
 
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index ce92c2f..8e40d84 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -89,33 +89,47 @@ __FBSDID("$FreeBSD$");
 CTASSERT(sizeof(struct ip) == 20);
 #endif
 
-int rsvp_on = 0;
+#ifdef VIMAGE_GLOBALS
+static int	ipsendredirects;
+static int	ip_checkinterface;
+static int	ip_keepfaith;
+static int	ip_sendsourcequench;
+int	ip_defttl;
+int	ip_do_randomid;
+int	ipforwarding;
+struct	in_ifaddrhead in_ifaddrhead; 		/* first inet address */
+struct	in_ifaddrhashhead *in_ifaddrhashtbl;	/* inet addr hash table  */
+u_long 	in_ifaddrhmask;				/* mask for hash table */
+struct ipstat ipstat;
+static int ip_rsvp_on;
+struct socket *ip_rsvpd;
+int	rsvp_on;
+static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH];
+static int	maxnipq;	/* Administrative limit on # reass queues. */
+static int	maxfragsperpacket;
+int	ipstealth;
+static int	nipq;	/* Total # of reass queues */
+#endif
 
-int	ipforwarding = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_FORWARDING,
     forwarding, CTLFLAG_RW, ipforwarding, 0,
     "Enable IP forwarding between interfaces");
 
-static int	ipsendredirects = 1; /* XXX */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_SENDREDIRECTS,
     redirect, CTLFLAG_RW, ipsendredirects, 0,
     "Enable sending IP redirects");
 
-int	ip_defttl = IPDEFTTL;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_DEFTTL,
     ttl, CTLFLAG_RW, ip_defttl, 0, "Maximum TTL on IP packets");
 
-static int	ip_keepfaith = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, IPCTL_KEEPFAITH,
     keepfaith, CTLFLAG_RW, ip_keepfaith,	0,
     "Enable packet capture for FAITH IPv4->IPv6 translater daemon");
 
-static int	ip_sendsourcequench = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO,
     sendsourcequench, CTLFLAG_RW, ip_sendsourcequench, 0,
     "Enable the transmission of source quench packets");
 
-int	ip_do_randomid = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, random_id,
     CTLFLAG_RW, ip_do_randomid, 0, "Assign random ip_id values");
 
@@ -132,7 +146,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, random_id,
  * to the loopback interface instead of the interface where the
  * packets for those addresses are received.
  */
-static int	ip_checkinterface = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO,
     check_interface, CTLFLAG_RW, ip_checkinterface, 0,
     "Verify packet arrives on correct interface");
@@ -145,9 +158,6 @@ static int	ipqmaxlen = IFQ_MAXLEN;
 extern	struct domain inetdomain;
 extern	struct protosw inetsw[];
 u_char	ip_protox[IPPROTO_MAX];
-struct	in_ifaddrhead in_ifaddrhead; 		/* first inet address */
-struct	in_ifaddrhashhead *in_ifaddrhashtbl;	/* inet addr hash table  */
-u_long 	in_ifaddrhmask;				/* mask for hash table */
 
 SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
     &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
@@ -155,21 +165,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
     &ipintrq.ifq_drops, 0,
     "Number of packets dropped from the IP input queue");
 
-struct ipstat ipstat;
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RW,
     ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
 
-/*
- * IP datagram reassembly.
- */
-#define IPREASS_NHASH_LOG2      6
-#define IPREASS_NHASH           (1 << IPREASS_NHASH_LOG2)
-#define IPREASS_HMASK           (IPREASS_NHASH - 1)
-#define IPREASS_HASH(x,y) \
-	(((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
-
 static uma_zone_t ipq_zone;
-static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH];
 static struct mtx ipqlock;
 
 #define	IPQ_LOCK()	mtx_lock(&ipqlock)
@@ -180,13 +179,10 @@ static struct mtx ipqlock;
 static void	maxnipq_update(void);
 static void	ipq_zone_change(void *);
 
-static int	maxnipq;	/* Administrative limit on # reass queues. */
-static int	nipq = 0;	/* Total # of reass queues */
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, fragpackets,
     CTLFLAG_RD, nipq, 0,
     "Current number of IPv4 fragment reassembly queue entries");
 
-static int	maxfragsperpacket;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, maxfragsperpacket,
     CTLFLAG_RW, maxfragsperpacket, 0,
     "Maximum number of IPv4 fragments allowed per packet");
@@ -199,7 +195,6 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
 #endif
 
 #ifdef IPSTEALTH
-int	ipstealth = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
     ipstealth, 0, "IP stealth mode, no TTL decrementation on forwarding");
 #endif
@@ -225,6 +220,37 @@ ip_init(void)
 	struct protosw *pr;
 	int i;
 
+	V_ipsendredirects = 1; /* XXX */
+	V_ip_checkinterface = 0;
+	V_ip_keepfaith = 0;
+	V_ip_sendsourcequench = 0;
+	V_rsvp_on = 0;
+	V_ip_defttl = IPDEFTTL;
+	V_ip_do_randomid = 0;
+	V_ipforwarding = 0;
+	V_ipstealth = 0;
+	V_nipq = 0;	/* Total # of reass queues */
+
+	V_ipport_lowfirstauto = IPPORT_RESERVED - 1;	/* 1023 */
+	V_ipport_lowlastauto = IPPORT_RESERVEDSTART;	/* 600 */
+	V_ipport_firstauto = IPPORT_EPHEMERALFIRST;	/* 10000 */
+	V_ipport_lastauto = IPPORT_EPHEMERALLAST;	/* 65535 */
+	V_ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 49152 */
+	V_ipport_hilastauto = IPPORT_HILASTAUTO;	/* 65535 */
+	V_ipport_reservedhigh = IPPORT_RESERVED - 1;	/* 1023 */
+	V_ipport_reservedlow = 0;
+	V_ipport_randomized = 1;	/* user controlled via sysctl */
+	V_ipport_randomcps = 10;	/* user controlled via sysctl */
+	V_ipport_randomtime = 45;	/* user controlled via sysctl */
+	V_ipport_stoprandom = 0;	/* toggled by ipport_tick */
+
+#ifdef NOTYET
+	/* XXX global static but not instantiated in this file */
+	V_ipfastforward_active = 0;
+	V_subnetsarelocal = 0;
+	V_sameprefixcarponly = 0;
+#endif
+
 	TAILQ_INIT(&V_in_ifaddrhead);
 	V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &V_in_ifaddrhmask);
 	pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
@@ -1591,8 +1617,6 @@ makedummy:
  * locking.  This code remains in ip_input.c as ip_mroute.c is optionally
  * compiled.
  */
-static int ip_rsvp_on;
-struct socket *ip_rsvpd;
 int
 ip_rsvp_init(struct socket *so)
 {
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 7612f67..75ef09d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -83,7 +83,9 @@ __FBSDID("$FreeBSD$");
 				  (ntohl(a.s_addr)>>8)&0xFF,\
 				  (ntohl(a.s_addr))&0xFF, y);
 
+#ifdef VIMAGE_GLOBALS
 u_short ip_id;
+#endif
 
 #ifdef MBUF_STRESS_TEST
 int mbuf_frag_size = 0;
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 8eca00a..dfe902e 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -76,8 +76,10 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
+#ifdef VIMAGE_GLOBALS
 struct	inpcbhead ripcb;
 struct	inpcbinfo ripcbinfo;
+#endif
 
 /* control hooks for ipfw and dummynet */
 ip_fw_ctl_t *ip_fw_ctl_ptr = NULL;
@@ -91,7 +93,9 @@ ip_dn_ctl_t *ip_dn_ctl_ptr = NULL;
 /*
  * The socket used to communicate with the multicast routing daemon.
  */
+#ifdef VIMAGE_GLOBALS
 struct socket  *ip_mrouter;
+#endif
 
 /*
  * The various mrouter and rsvp functions.
diff --git a/sys/netinet/tcp_hostcache.c b/sys/netinet/tcp_hostcache.c
index ec8f9ba..25dc44a 100644
--- a/sys/netinet/tcp_hostcache.c
+++ b/sys/netinet/tcp_hostcache.c
@@ -146,9 +146,11 @@ struct tcp_hostcache {
 	int	prune;
 	int	purgeall;
 };
-static struct tcp_hostcache tcp_hostcache;
 
+#ifdef VIMAGE_GLOBALS
+static struct tcp_hostcache tcp_hostcache;
 static struct callout tcp_hc_callout;
+#endif
 
 static struct hc_metrics *tcp_hc_lookup(struct in_conninfo *);
 static struct hc_metrics *tcp_hc_insert(struct in_conninfo *);
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index a7515ef..4c17f10d 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -99,7 +99,21 @@ __FBSDID("$FreeBSD$");
 
 static const int tcprexmtthresh = 3;
 
+#ifdef VIMAGE_GLOBALS
 struct	tcpstat tcpstat;
+int	blackhole;
+int	tcp_delack_enabled;
+int	drop_synfin;
+int	tcp_do_rfc3042;
+int	tcp_do_rfc3390;
+int	tcp_do_ecn;
+int	tcp_ecn_maxretries;
+int	tcp_insecure_rst;
+int	tcp_do_autorcvbuf;
+int	tcp_autorcvbuf_inc;
+int	tcp_autorcvbuf_max;
+#endif
+
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_STATS, stats,
     CTLFLAG_RW, tcpstat , tcpstat,
     "TCP statistics (struct tcpstat, netinet/tcp_var.h)");
@@ -108,59 +122,50 @@ int tcp_log_in_vain = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW,
     &tcp_log_in_vain, 0, "Log all incoming TCP segments to closed ports");
 
-static int blackhole = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
     blackhole, 0, "Do not send RST on segments to closed ports");
 
-int tcp_delack_enabled = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, delayed_ack,
     CTLFLAG_RW, tcp_delack_enabled, 0,
     "Delay ACK to try and piggyback it onto a data packet");
 
-static int drop_synfin = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, drop_synfin,
     CTLFLAG_RW, drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
 
-static int tcp_do_rfc3042 = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
     tcp_do_rfc3042, 0, "Enable RFC 3042 (Limited Transmit)");
 
-static int tcp_do_rfc3390 = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW,
     tcp_do_rfc3390, 0,
     "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)");
 
-int	tcp_do_ecn = 0;
-int	tcp_ecn_maxretries = 1;
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, ecn, CTLFLAG_RW, 0, "TCP ECN");
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, enable,
     CTLFLAG_RW, tcp_do_ecn, 0, "TCP ECN support");
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, maxretries,
     CTLFLAG_RW, tcp_ecn_maxretries, 0, "Max retries before giving up on ECN");
 
-static int tcp_insecure_rst = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, insecure_rst,
     CTLFLAG_RW, tcp_insecure_rst, 0,
     "Follow the old (insecure) criteria for accepting RST packets");
 
-int	tcp_do_autorcvbuf = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_auto,
     CTLFLAG_RW, tcp_do_autorcvbuf, 0,
     "Enable automatic receive buffer sizing");
 
-int	tcp_autorcvbuf_inc = 16*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_inc,
     CTLFLAG_RW, tcp_autorcvbuf_inc, 0,
     "Incrementor step size of automatic receive buffer");
 
-int	tcp_autorcvbuf_max = 256*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, recvbuf_max,
     CTLFLAG_RW, tcp_autorcvbuf_max, 0,
     "Max size of automatic receive buffer");
 
+#ifdef VIMAGE_GLOBALS
 struct inpcbhead tcb;
-#define	tcb6	tcb  /* for KAME src sync over BSD*'s */
 struct inpcbinfo tcbinfo;
+#endif
+#define	tcb6	tcb  /* for KAME src sync over BSD*'s */
 
 static void	 tcp_dooptions(struct tcpopt *, u_char *, int, int);
 static void	 tcp_do_segment(struct mbuf *, struct tcphdr *,
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index b3a010b..ab92905 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -87,39 +87,42 @@ __FBSDID("$FreeBSD$");
 extern struct mbuf *m_copypack();
 #endif
 
-int path_mtu_discovery = 1;
+#ifdef VIMAGE_GLOBALS
+int path_mtu_discovery;
+int ss_fltsz;
+int ss_fltsz_local;
+int tcp_do_newreno;
+int tcp_do_tso;
+int tcp_do_autosndbuf;
+int tcp_autosndbuf_inc;
+int tcp_autosndbuf_max;
+#endif
+
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, path_mtu_discovery,
 	CTLFLAG_RW, path_mtu_discovery, 1, "Enable Path MTU Discovery");
 
-int ss_fltsz = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO,
 	slowstart_flightsize, CTLFLAG_RW,
 	ss_fltsz, 1, "Slow start flight size");
 
-int ss_fltsz_local = 4;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO,
 	local_slowstart_flightsize, CTLFLAG_RW,
 	ss_fltsz_local, 1, "Slow start flight size for local networks");
 
-int     tcp_do_newreno = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, newreno, CTLFLAG_RW,
 	tcp_do_newreno, 0, "Enable NewReno Algorithms");
 
-int	tcp_do_tso = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, tso, CTLFLAG_RW,
 	tcp_do_tso, 0, "Enable TCP Segmentation Offload");
 
-int	tcp_do_autosndbuf = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_auto,
 	CTLFLAG_RW,
 	tcp_do_autosndbuf, 0, "Enable automatic send buffer sizing");
 
-int	tcp_autosndbuf_inc = 8*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_inc,
 	CTLFLAG_RW, tcp_autosndbuf_inc, 0,
 	"Incrementor step size of automatic send buffer");
 
-int	tcp_autosndbuf_max = 256*1024;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, sendbuf_max,
 	CTLFLAG_RW, tcp_autosndbuf_max, 0,
 	"Max size of automatic send buffer");
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 6f55e11..5f47be0 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -74,25 +74,28 @@ __FBSDID("$FreeBSD$");
 #include <netinet/tcp_debug.h>
 #endif /* TCPDEBUG */
 
+#ifdef VIMAGE_GLOBALS
+static int tcp_reass_maxseg;
+int tcp_reass_qsize;
+static int tcp_reass_maxqlen;
+static int tcp_reass_overflows;
+#endif
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
     "TCP Segment Reassembly Queue");
 
-static int tcp_reass_maxseg = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, maxsegments,
     CTLFLAG_RDTUN, tcp_reass_maxseg, 0,
     "Global maximum number of TCP Segments in Reassembly Queue");
 
-int tcp_reass_qsize = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, cursegments,
     CTLFLAG_RD, tcp_reass_qsize, 0,
     "Global number of TCP Segments currently in Reassembly Queue");
 
-static int tcp_reass_maxqlen = 48;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, maxqlen,
     CTLFLAG_RW, tcp_reass_maxqlen, 0,
     "Maximum number of TCP Segments per individual Reassembly Queue");
 
-static int tcp_reass_overflows = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_reass, OID_AUTO, overflows,
     CTLFLAG_RD, tcp_reass_overflows, 0,
     "Global number of TCP Segment Reassembly Queue Overflows");
@@ -114,6 +117,11 @@ tcp_reass_init(void)
 {
 	INIT_VNET_INET(curvnet);
 
+	V_tcp_reass_maxseg = 0;
+	V_tcp_reass_qsize = 0;
+	V_tcp_reass_maxqlen = 48;
+	V_tcp_reass_overflows = 0;
+
 	V_tcp_reass_maxseg = nmbclusters / 16;
 	TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
 	    &V_tcp_reass_maxseg);
diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index 3c6ceca..9eb57ba 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -124,23 +124,26 @@ __FBSDID("$FreeBSD$");
 
 extern struct uma_zone *sack_hole_zone;
 
+#ifdef VIMAGE_GLOBALS
+int tcp_do_sack;
+int tcp_sack_maxholes;
+int tcp_sack_globalmaxholes;
+int tcp_sack_globalholes;
+#endif
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, sack, CTLFLAG_RW, 0, "TCP SACK");
-int tcp_do_sack = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, enable,
     CTLFLAG_RW, tcp_do_sack, 0, "Enable/Disable TCP SACK support");
 TUNABLE_INT("net.inet.tcp.sack.enable", &tcp_do_sack);
 
-static int tcp_sack_maxholes = 128;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, maxholes,
     CTLFLAG_RW, tcp_sack_maxholes, 0, 
     "Maximum number of TCP SACK holes allowed per connection");
 
-static int tcp_sack_globalmaxholes = 65536;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, globalmaxholes,
     CTLFLAG_RW, tcp_sack_globalmaxholes, 0, 
     "Global maximum number of TCP SACK holes");
 
-static int tcp_sack_globalholes = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_sack, OID_AUTO, globalholes,
     CTLFLAG_RD, tcp_sack_globalholes, 0,
     "Global number of TCP SACK holes currently allocated");
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 02d654b..e28d40c 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -111,9 +111,20 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
-int	tcp_mssdflt = TCP_MSS;
+#ifdef VIMAGE_GLOBALS
+int	tcp_mssdflt;
 #ifdef INET6
-int	tcp_v6mssdflt = TCP6_MSS;
+int	tcp_v6mssdflt;
+#endif
+int	tcp_minmss;
+int	tcp_do_rfc1323;
+static int	icmp_may_rst;
+static int	tcp_isn_reseed_interval;
+static int	tcp_inflight_enable;
+static int	tcp_inflight_rttthresh;
+static int	tcp_inflight_min;
+static int	tcp_inflight_max;
+static int	tcp_inflight_stab;
 #endif
 
 static int
@@ -168,11 +179,9 @@ SYSCTL_PROC(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, CTLTYPE_INT|CTLFLAG_RW,
  * with packet generation and sending. Set to zero to disable MINMSS
  * checking. This setting prevents us from sending too small packets.
  */
-int	tcp_minmss = TCP_MINMSS;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, minmss,
     CTLFLAG_RW, tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
 
-int	tcp_do_rfc1323 = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323,
     CTLFLAG_RW, tcp_do_rfc1323, 0,
     "Enable rfc1323 (high performance TCP) extensions");
@@ -192,12 +201,10 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0,
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, pcbcount,
     CTLFLAG_RD, tcbinfo.ipi_count, 0, "Number of active PCBs");
 
-static int	icmp_may_rst = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, icmp_may_rst,
     CTLFLAG_RW, icmp_may_rst, 0,
     "Certain ICMP unreachable messages may abort connections in SYN_SENT");
 
-static int	tcp_isn_reseed_interval = 0;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval,
     CTLFLAG_RW, tcp_isn_reseed_interval, 0,
     "Seconds between reseeding of ISN secret");
@@ -210,7 +217,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval,
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0,
     "TCP inflight data limiting");
 
-static int	tcp_inflight_enable = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, enable,
     CTLFLAG_RW, tcp_inflight_enable, 0,
     "Enable automatic TCP inflight data limiting");
@@ -219,20 +225,16 @@ static int	tcp_inflight_debug = 0;
 SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW,
     &tcp_inflight_debug, 0, "Debug TCP inflight calculations");
 
-static int	tcp_inflight_rttthresh;
 SYSCTL_PROC(_net_inet_tcp_inflight, OID_AUTO, rttthresh, CTLTYPE_INT|CTLFLAG_RW,
     &tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks, "I",
     "RTT threshold below which inflight will deactivate itself");
 
-static int	tcp_inflight_min = 6144;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, min,
     CTLFLAG_RW, tcp_inflight_min, 0, "Lower-bound for TCP inflight window");
 
-static int	tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, max,
     CTLFLAG_RW, tcp_inflight_max, 0, "Upper-bound for TCP inflight window");
 
-static int	tcp_inflight_stab = 20;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, stab,
     CTLFLAG_RW, tcp_inflight_stab, 0,
     "Inflight Algorithm Stabilization 20 = 2 packets");
@@ -297,8 +299,49 @@ void
 tcp_init(void)
 {
 	INIT_VNET_INET(curvnet);
+	int hashsize;
+
+	V_blackhole = 0;
+	V_tcp_delack_enabled = 1;
+	V_drop_synfin = 0;
+	V_tcp_do_rfc3042 = 1;
+	V_tcp_do_rfc3390 = 1;
+	V_tcp_do_ecn = 0;
+	V_tcp_ecn_maxretries = 1;
+	V_tcp_insecure_rst = 0;
+	V_tcp_do_autorcvbuf = 1;
+	V_tcp_autorcvbuf_inc = 16*1024;
+	V_tcp_autorcvbuf_max = 256*1024;
+
+	V_tcp_mssdflt = TCP_MSS;
+#ifdef INET6
+	V_tcp_v6mssdflt = TCP6_MSS;
+#endif
+	V_tcp_minmss = TCP_MINMSS;
+	V_tcp_do_rfc1323 = 1;
+	V_icmp_may_rst = 1;
+	V_tcp_isn_reseed_interval = 0;
+	V_tcp_inflight_enable = 1;
+	V_tcp_inflight_min = 6144;
+	V_tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
+	V_tcp_inflight_stab = 20;
+
+	V_path_mtu_discovery = 1;
+	V_ss_fltsz = 1;
+	V_ss_fltsz_local = 4;
+	V_tcp_do_newreno = 1;
+	V_tcp_do_tso = 1;
+	V_tcp_do_autosndbuf = 1;
+	V_tcp_autosndbuf_inc = 8*1024;
+	V_tcp_autosndbuf_max = 256*1024;
+
+	V_nolocaltimewait = 0;
+
+	V_tcp_do_sack = 1;
+	V_tcp_sack_maxholes = 128;
+	V_tcp_sack_globalmaxholes = 65536;
+	V_tcp_sack_globalholes = 0;
 
-	int hashsize = TCBHASHSIZE;
 	tcp_delacktime = TCPTV_DELACK;
 	tcp_keepinit = TCPTV_KEEP_INIT;
 	tcp_keepidle = TCPTV_KEEP_IDLE;
@@ -315,6 +358,7 @@ tcp_init(void)
 	INP_INFO_LOCK_INIT(&V_tcbinfo, "tcp");
 	LIST_INIT(&V_tcb);
 	V_tcbinfo.ipi_listhead = &V_tcb;
+	hashsize = TCBHASHSIZE;
 	TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize);
 	if (!powerof2(hashsize)) {
 		printf("WARNING: TCB hash size not a power of 2\n");
@@ -1429,10 +1473,12 @@ tcp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
 #define ISN_STATIC_INCREMENT 4096
 #define ISN_RANDOM_INCREMENT (4096 - 1)
 
+#ifdef VIMAGE_GLOBALS
 static u_char isn_secret[32];
 static int isn_last_reseed;
 static u_int32_t isn_offset, isn_offset_old;
 static MD5_CTX isn_ctx;
+#endif
 
 tcp_seq
 tcp_new_isn(struct tcpcb *tp)
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index c9f3b4f..a69b0b2 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -98,12 +98,17 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
-static int tcp_syncookies = 1;
+#ifdef VIMAGE_GLOBALS
+static struct tcp_syncache tcp_syncache;
+static int tcp_syncookies;
+static int tcp_syncookiesonly;
+int tcp_sc_rst_sock_fail;
+#endif
+
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW,
     &tcp_syncookies, 0,
     "Use TCP SYN cookies if the syncache overflows");
 
-static int tcp_syncookiesonly = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_RW,
     &tcp_syncookiesonly, 0,
     "Use only TCP SYN cookies");
@@ -142,8 +147,6 @@ static struct syncache
 #define TCP_SYNCACHE_HASHSIZE		512
 #define TCP_SYNCACHE_BUCKETLIMIT	30
 
-static struct tcp_syncache tcp_syncache;
-
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, syncache, CTLFLAG_RW, 0, "TCP SYN cache");
 
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
@@ -166,7 +169,6 @@ SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
     rexmtlimit, CTLFLAG_RW,
     tcp_syncache.rexmt_limit, 0, "Limit on SYN/ACK retransmissions");
 
-int	tcp_sc_rst_sock_fail = 1;
 SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_syncache, OID_AUTO,
      rst_on_sock_fail, CTLFLAG_RW,
      tcp_sc_rst_sock_fail, 0, "Send reset on socket allocation failure");
@@ -223,6 +225,10 @@ syncache_init(void)
 	INIT_VNET_INET(curvnet);
 	int i;
 
+	V_tcp_syncookies = 1;
+	V_tcp_syncookiesonly = 0;
+	V_tcp_sc_rst_sock_fail = 1;
+
 	V_tcp_syncache.cache_count = 0;
 	V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
 	V_tcp_syncache.bucket_limit = TCP_SYNCACHE_BUCKETLIMIT;
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 83b8aa6..a97b4a2 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -102,7 +102,10 @@ static int	maxtcptw;
  * queue pointers in each tcptw structure, are protected using the global
  * tcbinfo lock, which must be held over queue iteration and modification.
  */
+#ifdef VIMAGE_GLOBALS
 static TAILQ_HEAD(, tcptw)	twq_2msl;
+int	nolocaltimewait;
+#endif
 
 static void	tcp_tw_2msl_reset(struct tcptw *, int);
 static void	tcp_tw_2msl_stop(struct tcptw *);
@@ -147,7 +150,6 @@ SYSCTL_PROC(_net_inet_tcp, OID_AUTO, maxtcptw, CTLTYPE_INT|CTLFLAG_RW,
     &maxtcptw, 0, sysctl_maxtcptw, "IU",
     "Maximum number of compressed TCP TIME_WAIT entries");
 
-static int	nolocaltimewait = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, nolocaltimewait, CTLFLAG_RW,
     &nolocaltimewait, 0,
     "Do not create compressed TCP TIME_WAIT entries for local connections");
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index 40f060b..3bef611 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h
@@ -517,7 +517,26 @@ extern	int path_mtu_discovery;
 extern	int ss_fltsz;
 extern	int ss_fltsz_local;
 
+extern	int blackhole;
+extern	int drop_synfin;
+extern	int tcp_do_rfc3042;
+extern	int tcp_do_rfc3390;
+extern	int tcp_insecure_rst;
+extern	int tcp_do_autorcvbuf;
+extern	int tcp_autorcvbuf_inc;
+extern	int tcp_autorcvbuf_max;
+
+extern	int tcp_do_tso;
+extern	int tcp_do_autosndbuf;
+extern	int tcp_autosndbuf_inc;
+extern	int tcp_autosndbuf_max;
+
+extern	int nolocaltimewait;
+
 extern	int tcp_do_sack;		/* SACK enabled/disabled */
+extern	int tcp_sack_maxholes;
+extern	int tcp_sack_globalmaxholes;
+extern	int tcp_sack_globalholes;
 extern	int tcp_sc_rst_sock_fail;	/* RST on sock alloc failure */
 extern	int tcp_do_ecn;			/* TCP ECN enabled/disabled */
 extern	int tcp_ecn_maxretries;
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index cbfdb6b..9409235 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -95,6 +95,10 @@ __FBSDID("$FreeBSD$");
  * Per RFC 768, August, 1980.
  */
 
+#ifdef VIMAGE_GLOBALS
+int	udp_blackhole;
+#endif
+
 /*
  * BSD 4.2 defaulted the udp checksum to be off.  Turning off udp checksums
  * removes the only data integrity mechanism for packets and malformed
@@ -109,7 +113,6 @@ int	udp_log_in_vain = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW,
     &udp_log_in_vain, 0, "Log all incoming UDP packets");
 
-int	udp_blackhole = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW, &udp_blackhole, 0,
     "Do not send port unreachables for refused connects");
 
@@ -129,14 +132,16 @@ u_long	udp_recvspace = 40 * (1024 +
 SYSCTL_ULONG(_net_inet_udp, UDPCTL_RECVSPACE, recvspace, CTLFLAG_RW,
     &udp_recvspace, 0, "Maximum space for incoming UDP datagrams");
 
+#ifdef VIMAGE_GLOBALS
 struct inpcbhead	udb;		/* from udp_var.h */
 struct inpcbinfo	udbinfo;
+struct udpstat		udpstat;	/* from udp_var.h */
+#endif
 
 #ifndef UDBHASHSIZE
 #define	UDBHASHSIZE	128
 #endif
 
-struct udpstat	udpstat;	/* from udp_var.h */
 SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_udp, UDPCTL_STATS, stats,
     CTLFLAG_RW, udpstat, udpstat,
     "UDP statistics (struct udpstat, netinet/udp_var.h)");
@@ -167,6 +172,8 @@ udp_init(void)
 {
 	INIT_VNET_INET(curvnet);
 
+	V_udp_blackhole = 0;
+
 	INP_INFO_LOCK_INIT(&V_udbinfo, "udp");
 	LIST_INIT(&V_udb);
 	V_udbinfo.ipi_listhead = &V_udb;
diff --git a/sys/netinet/vinet.h b/sys/netinet/vinet.h
index 1f16dfd..961e772 100644
--- a/sys/netinet/vinet.h
+++ b/sys/netinet/vinet.h
@@ -319,6 +319,8 @@ struct vnet_inet {
 #define	V_tcp_sack_maxholes	VNET_INET(tcp_sack_maxholes)
 #define	V_tcp_sc_rst_sock_fail	VNET_INET(tcp_sc_rst_sock_fail)
 #define	V_tcp_syncache		VNET_INET(tcp_syncache)
+#define	V_tcp_syncookies	VNET_INET(tcp_syncookies)
+#define	V_tcp_syncookiesonly	VNET_INET(tcp_syncookiesonly)
 #define	V_tcp_v6mssdflt		VNET_INET(tcp_v6mssdflt)
 #define	V_tcpstat		VNET_INET(tcpstat)
 #define	V_twq_2msl		VNET_INET(twq_2msl)