Index: sys/modules/Makefile
diff -u sys/modules/Makefile.orig sys/modules/Makefile
--- sys/modules/Makefile.orig	Tue Jul 25 01:26:05 2000
+++ sys/modules/Makefile	Mon Aug 14 22:39:23 2000
@@ -3,7 +3,7 @@
 # XXX present but broken: ip_mroute_mod pcic
 
 SUBDIR=	agp aha amr an aue ccd cd9660 coda cue dc fdesc fxp if_disc if_ef if_ppp \
-	if_sl if_tun ipfilter ipfw ispfw joy kernfs kue \
+	if_sl if_tun ip6fw ipfilter ipfw ispfw joy kernfs kue \
 	md mfs mii mlx msdos ncp netgraph nfs ntfs nullfs \
 	nwfs portal procfs rl sf sis sk ste syscons ti tl twe \
 	ugen uhid ukbd ulpt umapfs umass umodem ums union usb vinum vn vpo vr wb wx xl
Index: sys/modules/ip6fw/Makefile
diff -u sys/modules/ip6fw/Makefile.orig sys/modules/ip6fw/Makefile
--- sys/modules/ip6fw/Makefile.orig	Mon Aug 14 20:51:51 2000
+++ sys/modules/ip6fw/Makefile	Mon Aug 14 20:51:54 2000
@@ -0,0 +1,17 @@
+# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter Exp $
+
+.PATH:	${.CURDIR}/../../netinet6
+KMOD=	ip6fw
+SRCS=	ip6_fw.c
+NOMAN=
+CFLAGS+= -DIPV6FIREWALL
+#
+#If you want it verbose
+#CFLAGS+= -DIPV6FIREWALL_VERBOSE
+#CFLAGS+= -DIPV6FIREWALL_VERBOSE_LIMIT=100
+#
+#If you want it to pass all packets by default
+#CFLAGS+= -DIPV6FIREWALL_DEFAULT_TO_ACCEPT
+#
+
+.include <bsd.kmod.mk>
Index: sys/netinet6/ip6_forward.c
diff -u sys/netinet6/ip6_forward.c.orig sys/netinet6/ip6_forward.c
--- sys/netinet6/ip6_forward.c.orig	Mon Jul 17 16:16:50 2000
+++ sys/netinet6/ip6_forward.c	Mon Aug 14 20:45:25 2000
@@ -62,9 +62,7 @@
 #include <netkey/key.h>
 #endif /* IPSEC */
 
-#ifdef IPV6FIREWALL
 #include <netinet6/ip6_fw.h>
-#endif
 
 #include <net/net_osdep.h>
 
@@ -415,11 +413,10 @@
 	    (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0)
 		type = ND_REDIRECT;
 
-#ifdef IPV6FIREWALL
 	/*
 	 * Check with the firewall...
 	 */
-	if (ip6_fw_chk_ptr) {
+	if (ip6_fw_enable && ip6_fw_chk_ptr) {
 		u_short port = 0;
 		/* If ipfw says divert, we have to just drop packet */
 		if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) {
@@ -429,7 +426,6 @@
 		if (!m)
 			goto freecopy;
 	}
-#endif
 
 	/*
 	 * Fake scoped addresses. Note that even link-local source or
Index: sys/netinet6/ip6_fw.c
diff -u sys/netinet6/ip6_fw.c.orig sys/netinet6/ip6_fw.c
--- sys/netinet6/ip6_fw.c.orig	Sat Jul 15 16:14:34 2000
+++ sys/netinet6/ip6_fw.c	Mon Aug 14 21:29:02 2000
@@ -20,9 +20,11 @@
  * Implement IPv6 packet firewall
  */
 
+#if !defined(KLD_MODULE)
 #include "opt_ip6fw.h"
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#endif
 
 #ifdef IP6DIVERT
 #error "NOT SUPPORTED IPV6 DIVERT"
@@ -84,6 +86,8 @@
 #ifdef SYSCTL_NODE
 SYSCTL_DECL(_net_inet6_ip6);
 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW,
+    &ip6_fw_enable, 0, "Enable ip6fw");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW, &fw6_debug, 0, "");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, "");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw6_verbose_limit, 0, "");
@@ -1184,3 +1188,48 @@
 		    fw6_verbose_limit);
 #endif
 }
+
+static ip6_fw_chk_t *old_chk_ptr;
+static ip6_fw_ctl_t *old_ctl_ptr;
+
+static int
+ip6fw_modevent(module_t mod, int type, void *unused)
+{
+	int s;
+	
+	switch (type) {
+	case MOD_LOAD:
+		s = splnet();
+
+		old_chk_ptr = ip6_fw_chk_ptr;
+		old_ctl_ptr = ip6_fw_ctl_ptr;
+
+		ip6_fw_init();
+		splx(s);
+		return 0;
+	case MOD_UNLOAD:
+		s = splnet();
+		ip6_fw_chk_ptr =  old_chk_ptr;
+		ip6_fw_ctl_ptr =  old_ctl_ptr;
+		while (LIST_FIRST(&ip6_fw_chain) != NULL) {
+			struct ip6_fw_chain *fcp = LIST_FIRST(&ip6_fw_chain);
+			LIST_REMOVE(LIST_FIRST(&ip6_fw_chain), chain);
+			free(fcp->rule, M_IP6FW);
+			free(fcp, M_IP6FW);
+		}
+	
+		splx(s);
+		printf("IPv6 firewall unloaded\n");
+		return 0;
+	default:
+		break;
+	}
+	return 0;
+}
+
+static moduledata_t ip6fwmod = {
+	"ip6fw",
+	ip6fw_modevent,
+	0
+};
+DECLARE_MODULE(ip6fw, ip6fwmod, SI_SUB_PSEUDO, SI_ORDER_ANY);
Index: sys/netinet6/ip6_fw.h
diff -u sys/netinet6/ip6_fw.h.orig sys/netinet6/ip6_fw.h
--- sys/netinet6/ip6_fw.h.orig	Sat Jul 15 16:14:34 2000
+++ sys/netinet6/ip6_fw.h	Mon Aug 14 20:48:41 2000
@@ -190,6 +190,7 @@
 typedef	int ip6_fw_ctl_t __P((int, struct mbuf**));
 extern	ip6_fw_chk_t *ip6_fw_chk_ptr;
 extern	ip6_fw_ctl_t *ip6_fw_ctl_ptr;
+extern	int ip6_fw_enable;
 
 #endif /* _KERNEL */
 
Index: sys/netinet6/ip6_input.c
diff -u sys/netinet6/ip6_input.c.orig sys/netinet6/ip6_input.c
--- sys/netinet6/ip6_input.c.orig	Sat Jul 15 16:14:34 2000
+++ sys/netinet6/ip6_input.c	Mon Aug 14 20:33:59 2000
@@ -105,9 +105,7 @@
 #include <netinet6/nd6.h>
 #include <netinet6/in6_prefix.h>
 
-#ifdef IPV6FIREWALL
 #include <netinet6/ip6_fw.h>
-#endif
 
 #include <netinet6/ip6protosw.h>
 
@@ -130,11 +128,10 @@
 int ip6_sourcecheck_interval;		/* XXX */
 const int int6intrq_present = 1;
 
-#ifdef IPV6FIREWALL
 /* firewall hooks */
 ip6_fw_chk_t *ip6_fw_chk_ptr;
 ip6_fw_ctl_t *ip6_fw_ctl_ptr;
-#endif
+int ip6_fw_enable = 1;
 
 struct ip6stat ip6stat;
 
@@ -170,9 +167,6 @@
 	register_netisr(NETISR_IPV6, ip6intr);
 	nd6_init();
 	frag6_init();
-#ifdef IPV6FIREWALL
-	ip6_fw_init();
-#endif
 	/*
 	 * in many cases, random() here does NOT return random number
 	 * as initialization during bootstrap time occur in fixed order.
@@ -293,11 +287,10 @@
 
 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
 
-#ifdef IPV6FIREWALL
 	/*
 	 * Check with the firewall...
 	 */
-	if (ip6_fw_chk_ptr) {
+	if (ip6_fw_enable && ip6_fw_chk_ptr) {
 		u_short port = 0;
 		/* If ipfw says divert, we have to just drop packet */
 		/* use port as a dummy argument */
@@ -308,7 +301,6 @@
 		if (!m)
 			return;
 	}
-#endif
 
 	/*
 	 * Scope check
Index: sys/netinet6/ip6_output.c
diff -u sys/netinet6/ip6_output.c.orig sys/netinet6/ip6_output.c
--- sys/netinet6/ip6_output.c.orig	Sat Jul 15 16:14:35 2000
+++ sys/netinet6/ip6_output.c	Mon Aug 14 20:43:31 2000
@@ -102,9 +102,7 @@
 
 #include <net/net_osdep.h>
 
-#ifdef IPV6FIREWALL
 #include <netinet6/ip6_fw.h>
-#endif
 
 static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
 
@@ -789,11 +787,10 @@
 			ip6->ip6_dst.s6_addr16[1] = 0;
 	}
 
-#ifdef IPV6FIREWALL
 	/*
 	 * Check with the firewall...
 	 */
-	if (ip6_fw_chk_ptr) {
+	if (ip6_fw_enable && ip6_fw_chk_ptr) {
 		u_short port = 0;
 		m->m_pkthdr.rcvif = NULL;	/*XXX*/
 		/* If ipfw says divert, we have to just drop packet */
@@ -806,7 +803,6 @@
 			goto done;
 		}
 	}
-#endif
 
 	/*
 	 * If the outgoing packet contains a hop-by-hop options header,
@@ -1355,7 +1351,6 @@
 				break;
 #endif /* IPSEC */
 
-#ifdef IPV6FIREWALL
 			case IPV6_FW_ADD:
 			case IPV6_FW_DEL:
 			case IPV6_FW_FLUSH:
@@ -1376,7 +1371,6 @@
 				m = *mp;
 			    }
 				break;
-#endif
 
 			default:
 				error = ENOPROTOOPT;
@@ -1510,7 +1504,6 @@
 			  }
 #endif /* IPSEC */
 
-#ifdef IPV6FIREWALL
 			case IPV6_FW_GET:
 			  {
 				struct mbuf *m;
@@ -1527,7 +1520,6 @@
 					m_freem(m);
 			  }
 				break;
-#endif
 
 			default:
 				error = ENOPROTOOPT;