Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can be used to synchronise different pf. This work was part of my 2009 GSoC No objection on tech-net@
2009-09-14 10:36:48 +00:00 · 2009-09-14 10:36:48 +00:00 · 2d48ac808c
parent 03266a3f98
commit 2d48ac808c
30 changed files with 3294 additions and 46 deletions
--- a/dist/libpcap/pcap-bpf.h
+++ b/dist/libpcap/pcap-bpf.h
@ -37,7 +37,7 @@
 *
 *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
 *
- * @(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap-bpf.h,v 1.1.1.1 2006/02/27 15:45:47 drochner Exp $ (LBL)
+ * @(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap-bpf.h,v 1.2 2009/09/14 10:36:48 degroote Exp $ (LBL)
 */

 /*
@ -299,8 +299,8 @@ struct bpf_version {
 */
 #ifdef __OpenBSD__
 #define DLT_OLD_PFLOG	17
-#define DLT_PFSYNC	18
 #endif
+#define DLT_PFSYNC	18
 #define DLT_PFLOG	117

 /*
--- a/dist/libpcap/pcap.c
+++ b/dist/libpcap/pcap.c
@ -33,7 +33,7 @@

 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap.c,v 1.3 2006/02/27 15:57:17 drochner Exp $ (LBL)";
+    "@(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap.c,v 1.4 2009/09/14 10:36:48 degroote Exp $ (LBL)";
 #endif

 #ifdef HAVE_CONFIG_H
@ -346,6 +346,7 @@ static struct dlt_choice dlt_choices[] = {
 	DLT_CHOICE(DLT_LINUX_SLL, "Linux cooked"),
 	DLT_CHOICE(DLT_LTALK, "Localtalk"),
 	DLT_CHOICE(DLT_PFLOG, "OpenBSD pflog file"),
+	DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"),   
 	DLT_CHOICE(DLT_PRISM_HEADER, "802.11 plus Prism header"),
 	DLT_CHOICE(DLT_IP_OVER_FC, "RFC 2625 IP-over-Fibre Channel"),
 	DLT_CHOICE(DLT_SUNATM, "Sun raw ATM"),
--- a/dist/pf/share/man/man4/pf.4
+++ b/dist/pf/share/man/man4/pf.4
@ -1,4 +1,4 @@
-.\"	$NetBSD: pf.4,v 1.9 2009/03/22 14:29:34 perry Exp $
+.\"	$NetBSD: pf.4,v 1.10 2009/09/14 10:36:48 degroote Exp $
 .\"	$OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
@ -1131,7 +1131,7 @@ main(int argc, char *argv[])
 .Xr ioctl 2 ,
 .Xr bridge 4 ,
 .Xr pflog 4 ,
-.\" .Xr pfsync 4 ,
+.Xr pfsync 4 ,
 .Xr pfctl 8 ,
 .Xr altq 9
 .Sh HISTORY
--- a/dist/pf/share/man/man4/pfsync.4
+++ b/dist/pf/share/man/man4/pfsync.4
@ -0,0 +1,244 @@
+.\"	$NetBSD: pfsync.4,v 1.1 2009/09/14 10:36:48 degroote Exp $
+.\"	$OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
+.\"
+.\" Copyright (c) 2002 Michael Shalayeff
+.\" Copyright (c) 2003-2004 Ryan McBride
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF MIND,
+.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: May 31 2007 $
+.Dt PFSYNC 4
+.Os
+.Sh NAME
+.Nm pfsync
+.Nd packet filter state table logging interface
+.Sh SYNOPSIS
+.Cd "pseudo-device pfsync"
+.Sh DESCRIPTION
+The
+.Nm
+interface is a pseudo-device which exposes certain changes to the state
+table used by
+.Xr pf 4 .
+State changes can be viewed by invoking
+.Xr tcpdump 8
+on the
+.Nm
+interface.
+If configured with a physical synchronisation interface,
+.Nm
+will also send state changes out on that interface using IP multicast,
+and insert state changes received on that interface from other systems
+into the state table.
+.Pp
+By default, all local changes to the state table are exposed via
+.Nm .
+However, state changes from packets received by
+.Nm
+over the network are not rebroadcast.
+States created by a rule marked with the
+.Ar no-sync
+keyword are omitted from the
+.Nm
+interface (see
+.Xr pf.conf 5
+for details).
+.Pp
+The
+.Nm
+interface will attempt to collapse multiple updates of the same
+state into one message where possible.
+The maximum number of times this can be done before the update is sent out
+is controlled by the
+.Ar maxupd
+parameter to ifconfig
+(see
+.Xr ifconfig 8
+and the example below for more details).
+.Pp
+Each packet retrieved on this interface has a header associated
+with it of length
+.Dv PFSYNC_HDRLEN .
+The header indicates the version of the protocol, address family,
+action taken on the following states, and the number of state
+table entries attached in this packet.
+This structure is defined in
+.Aq Pa net/if_pfsync.h
+as:
+.Bd -literal -offset indent
+struct pfsync_header {
+	u_int8_t version;
+	u_int8_t af;
+	u_int8_t action;
+	u_int8_t count;
+};
+.Ed
+.Sh NETWORK SYNCHRONISATION
+States can be synchronised between two or more firewalls using this
+interface, by specifying a synchronisation interface using
+.Xr ifconfig 8 .
+For example, the following command sets fxp0 as the synchronisation
+interface:
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncdev fxp0
+.Ed
+.Pp
+By default, state change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group
+used is 224.0.0.240.
+When a peer address is specified using the
+.Ic syncpeer
+keyword, the peer address is used as a destination for the pfsync traffic,
+and the traffic can then be protected using
+.Xr ipsec 4 .
+In such a configuration, the syncdev should be set to the
+.Xr enc 4
+interface, as this is where the traffic arrives when it is decapsulated,
+e.g.:
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
+.Ed
+.Pp
+It is important that the pfsync traffic be well secured
+as there is no authentication on the protocol and it would
+be trivial to spoof packets which create states, bypassing the pf ruleset.
+Either run the pfsync protocol on a trusted network \- ideally  a network
+dedicated to pfsync messages such as a crossover cable between two firewalls,
+or specify a peer address and protect the traffic with
+.Xr ipsec 4 .
+.Pp
+There is a one-to-one correspondence between packets seen by
+.Xr bpf 4
+on the
+.Nm
+interface, and packets sent out on the synchronisation interface, i.e.\&
+a packet with 4 state deletion messages on
+.Nm
+means that the same 4 deletions were sent out on the synchronisation
+interface.
+However, the actual packet contents may differ as the messages
+sent over the network are "compressed" where possible, containing
+only the necessary information.
+.Sh EXAMPLES
+.Nm
+and
+.Xr carp 4
+can be used together to provide automatic failover of a pair of firewalls
+configured in parallel.
+One firewall handles all traffic \- if it dies or
+is shut down, the second firewall takes over automatically.
+.Pp
+Both firewalls in this example have three
+.Xr sis 4
+interfaces.
+sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the
+internal interface, on the 192.168.0.0/24 subnet; and sis2 is the
+.Nm
+interface, using the 192.168.254.0/24 subnet.
+A crossover cable connects the two firewalls via their sis2 interfaces.
+On all three interfaces, firewall A uses the .254 address, while firewall B
+uses .253.
+The interfaces are configured as follows (firewall A unless otherwise
+indicated):
+.Pp
+.Pa /etc/hostname.sis0 :
+.Bd -literal -offset indent
+inet 10.0.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis1 :
+.Bd -literal -offset indent
+inet 192.168.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis2 :
+.Bd -literal -offset indent
+inet 192.168.254.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.carp0 :
+.Bd -literal -offset indent
+inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
+.Ed
+.Pp
+.Pa /etc/hostname.carp1 :
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
+.Ed
+.Pp
+.Pa /etc/hostname.pfsync0 :
+.Bd -literal -offset indent
+up syncdev sis2
+.Ed
+.Pp
+.Xr pf 4
+must also be configured to allow
+.Nm
+and
+.Xr carp 4
+traffic through.
+The following should be added to the top of
+.Pa /etc/pf.conf :
+.Bd -literal -offset indent
+pass quick on { sis2 } proto pfsync
+pass on { sis0 sis1 } proto carp
+.Ed
+.Pp
+If it is preferable that one firewall handle the traffic,
+the
+.Ar advskew
+on the backup firewall's
+.Xr carp 4
+interfaces should be set to something higher than
+the primary's.
+For example, if firewall B is the backup, its
+.Pa /etc/hostname.carp1
+would look like this:
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
+	advskew 100
+.Ed
+.Pp
+The following must also be added to
+.Pa /etc/sysctl.conf :
+.Bd -literal -offset indent
+net.inet.carp.preempt=1
+.Ed
+.Sh SEE ALSO
+.Xr bpf 4 ,
+.Xr carp 4 ,
+.Xr inet 4 ,
+.Xr inet6 4 ,
+.Xr ipsec 4 ,
+.Xr netintro 4 ,
+.Xr pf 4 ,
+.Xr hostname.if 5 ,
+.Xr pf.conf 5 ,
+.Xr protocols 5 ,
+.Xr ifconfig 8 ,
+.Xr tcpdump 8
+.Sh HISTORY
+The
+.Nm
+device first appeared in
+.Ox 3.3 .
--- a/dist/tcpdump/interface.h
+++ b/dist/tcpdump/interface.h
@ -1,4 +1,4 @@
-/*	$NetBSD: interface.h,v 1.7 2007/07/24 11:53:39 drochner Exp $	*/
+/*	$NetBSD: interface.h,v 1.8 2009/09/14 10:36:48 degroote Exp $	*/

 /*
 * Copyright (c) 1988-2002
@ -199,6 +199,8 @@ extern void dvmrp_print(const u_char *, u_int);
 extern void egp_print(const u_char *, u_int);
 extern u_int enc_if_print(const struct pcap_pkthdr *, const u_char *);
 extern u_int pflog_if_print(const struct pcap_pkthdr *, const u_char *);
+extern u_int pfsync_if_print(const struct pcap_pkthdr *, const u_char *);
+extern void pfsync_ip_print(const u_char*, u_int, const u_char *);
 extern u_int arcnet_if_print(const struct pcap_pkthdr *, const u_char *);
 extern u_int arcnet_linux_if_print(const struct pcap_pkthdr *, const u_char *);
 extern void ether_print(const u_char *, u_int, u_int);
--- a/dist/tcpdump/ipproto.c
+++ b/dist/tcpdump/ipproto.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipproto.c,v 1.2 2007/07/24 11:53:39 drochner Exp $	*/
+/*	$NetBSD: ipproto.c,v 1.3 2009/09/14 10:36:49 degroote Exp $	*/

 /* 
 * Redistribution and use in source and binary forms, with or without
@ -21,7 +21,7 @@
 static const char rcsid[] _U_ =
    "@(#) Header: /tcpdump/master/tcpdump/ipproto.c,v 1.3.2.3 2005/09/20 06:05:37 guy Exp (LBL)";
 #else
-__RCSID("$NetBSD: ipproto.c,v 1.2 2007/07/24 11:53:39 drochner Exp $");
+__RCSID("$NetBSD: ipproto.c,v 1.3 2009/09/14 10:36:49 degroote Exp $");
 #endif
 #endif

@ -62,6 +62,7 @@ struct tok ipproto_values[] = {
    { IPPROTO_PGM, "PGM" },
    { IPPROTO_SCTP, "SCTP" },
    { IPPROTO_MOBILITY, "Mobility" },
+    { IPPROTO_PFSYNC, "PFSYNC" },
    { 0, NULL }
 };

--- a/dist/tcpdump/pf_print_state.c
+++ b/dist/tcpdump/pf_print_state.c
@ -0,0 +1,320 @@
+/*	$NetBSD: pf_print_state.c,v 1.1 2009/09/14 10:36:49 degroote Exp $	*/
+/*	$OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $	*/
+
+/*
+ * Copyright (c) 2001 Daniel Hartmeier
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#define TCPSTATES
+#include <netinet/tcp_fsm.h>
+#include <net/pfvar.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include "pfctl_parser.h"
+#include "pfctl.h"
+
+void	print_name(struct pf_addr *, sa_family_t);
+
+void
+print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
+{
+	switch (addr->type) {
+	case PF_ADDR_DYNIFTL:
+		printf("(%s", addr->v.ifname);
+		if (addr->iflags & PFI_AFLAG_NETWORK)
+			printf(":network");
+		if (addr->iflags & PFI_AFLAG_BROADCAST)
+			printf(":broadcast");
+		if (addr->iflags & PFI_AFLAG_PEER)
+			printf(":peer");
+		if (addr->iflags & PFI_AFLAG_NOALIAS)
+			printf(":0");
+		if (verbose) {
+			if (addr->p.dyncnt <= 0)
+				printf(":*");
+			else
+				printf(":%d", addr->p.dyncnt);
+		}
+		printf(")");
+		break;
+	case PF_ADDR_TABLE:
+		if (verbose)
+			if (addr->p.tblcnt == -1)
+				printf("<%s:*>", addr->v.tblname);
+			else
+				printf("<%s:%d>", addr->v.tblname,
+				    addr->p.tblcnt);
+		else
+			printf("<%s>", addr->v.tblname);
+		return;
+	case PF_ADDR_ADDRMASK:
+		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
+		    PF_AZERO(&addr->v.a.mask, AF_INET6))
+			printf("any");
+		else {
+			char buf[48];
+
+			if (inet_ntop(af, &addr->v.a.addr, buf,
+			    sizeof(buf)) == NULL)
+				printf("?");
+			else
+				printf("%s", buf);
+		}
+		break;
+	case PF_ADDR_NOROUTE:
+		printf("no-route");
+		return;
+	case PF_ADDR_URPFFAILED:
+		printf("urpf-failed");
+		return;
+	case PF_ADDR_RTLABEL:
+		printf("route \"%s\"", addr->v.rtlabelname);
+		return;
+	default:
+		printf("?");
+		return;
+	}
+
+	/* mask if not _both_ address and mask are zero */
+	if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
+	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
+		int bits = unmask(&addr->v.a.mask, af);
+
+		if (bits != (af == AF_INET ? 32 : 128))
+			printf("/%d", bits);
+	}
+}
+
+void
+print_name(struct pf_addr *addr, sa_family_t af)
+{
+	char host[NI_MAXHOST];
+
+	strlcpy(host, "?", sizeof(host));
+	switch (af) {
+	case AF_INET: {
+		struct sockaddr_in sin;
+
+		memset(&sin, 0, sizeof(sin));
+		sin.sin_len = sizeof(sin);
+		sin.sin_family = AF_INET;
+		sin.sin_addr = addr->v4;
+		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
+		    host, sizeof(host), NULL, 0, NI_NOFQDN);
+		break;
+	}
+	case AF_INET6: {
+		struct sockaddr_in6 sin6;
+
+		memset(&sin6, 0, sizeof(sin6));
+		sin6.sin6_len = sizeof(sin6);
+		sin6.sin6_family = AF_INET6;
+		sin6.sin6_addr = addr->v6;
+		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
+		    host, sizeof(host), NULL, 0, NI_NOFQDN);
+		break;
+	}
+	}
+	printf("%s", host);
+}
+
+void
+print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
+{
+	u_int16_t p = ntohs(h->port);
+
+	if (opts & PF_OPT_USEDNS)
+		print_name(&h->addr, af);
+	else {
+		struct pf_addr_wrap aw;
+
+		memset(&aw, 0, sizeof(aw));
+		aw.v.a.addr = h->addr;
+		if (af == AF_INET)
+			aw.v.a.mask.addr32[0] = 0xffffffff;
+		else {
+			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
+			af = AF_INET6;
+		}
+		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
+	}
+
+	if (p) {
+		if (af == AF_INET)
+			printf(":%u", p);
+		else
+			printf("[%u]", p);
+	}
+}
+
+void
+print_seq(struct pfsync_state_peer *p)
+{
+	if (p->seqdiff)
+		printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
+		    p->seqdiff);
+	else
+		printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo);
+}
+
+void
+print_state(struct pfsync_state *s, int opts)
+{
+	struct pfsync_state_peer *src, *dst;
+	struct protoent *p;
+	int min, sec;
+
+	if (s->direction == PF_OUT) {
+		src = &s->src;
+		dst = &s->dst;
+	} else {
+		src = &s->dst;
+		dst = &s->src;
+	}
+	printf("%s ", s->ifname);
+	if ((p = getprotobynumber(s->proto)) != NULL)
+		printf("%s ", p->p_name);
+	else
+		printf("%u ", s->proto);
+	if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
+	    (s->lan.port != s->gwy.port)) {
+		print_host(&s->lan, s->af, opts);
+		if (s->direction == PF_OUT)
+			printf(" -> ");
+		else
+			printf(" <- ");
+	}
+	print_host(&s->gwy, s->af, opts);
+	if (s->direction == PF_OUT)
+		printf(" -> ");
+	else
+		printf(" <- ");
+	print_host(&s->ext, s->af, opts);
+
+	printf("    ");
+	if (s->proto == IPPROTO_TCP) {
+		if (src->state <= TCPS_TIME_WAIT &&
+		    dst->state <= TCPS_TIME_WAIT)
+			printf("   %s:%s\n", tcpstates[src->state],
+			    tcpstates[dst->state]);
+		else if (src->state == PF_TCPS_PROXY_SRC ||
+		    dst->state == PF_TCPS_PROXY_SRC)
+			printf("   PROXY:SRC\n");
+		else if (src->state == PF_TCPS_PROXY_DST ||
+		    dst->state == PF_TCPS_PROXY_DST)
+			printf("   PROXY:DST\n");
+		else
+			printf("   <BAD STATE LEVELS %u:%u>\n",
+			    src->state, dst->state);
+		if (opts & PF_OPT_VERBOSE) {
+			printf("   ");
+			print_seq(src);
+			if (src->wscale && dst->wscale)
+				printf(" wscale %u",
+				    src->wscale & PF_WSCALE_MASK);
+			printf("  ");
+			print_seq(dst);
+			if (src->wscale && dst->wscale)
+				printf(" wscale %u",
+				    dst->wscale & PF_WSCALE_MASK);
+			printf("\n");
+		}
+	} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
+	    dst->state < PFUDPS_NSTATES) {
+		const char *states[] = PFUDPS_NAMES;
+
+		printf("   %s:%s\n", states[src->state], states[dst->state]);
+	} else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
+	    dst->state < PFOTHERS_NSTATES) {
+		/* XXX ICMP doesn't really have state levels */
+		const char *states[] = PFOTHERS_NAMES;
+
+		printf("   %s:%s\n", states[src->state], states[dst->state]);
+	} else {
+		printf("   %u:%u\n", src->state, dst->state);
+	}
+
+	if (opts & PF_OPT_VERBOSE) {
+		sec = s->creation % 60;
+		s->creation /= 60;
+		min = s->creation % 60;
+		s->creation /= 60;
+		printf("   age %.2u:%.2u:%.2u", s->creation, min, sec);
+		sec = s->expire % 60;
+		s->expire /= 60;
+		min = s->expire % 60;
+		s->expire /= 60;
+		printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
+		printf(", %llu:%llu pkts, %llu:%llu bytes",
+		    (unsigned long long)pf_state_counter_from_pfsync(s->packets[0]),
+		    (unsigned long long)pf_state_counter_from_pfsync(s->packets[1]),
+		    (unsigned long long)pf_state_counter_from_pfsync(s->bytes[0]),
+		    (unsigned long long)pf_state_counter_from_pfsync(s->bytes[1]));
+		if (s->anchor != -1)
+			printf(", anchor %u", s->anchor);
+		if (s->rule != -1)
+			printf(", rule %u", s->rule);
+		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
+			printf(", source-track");
+		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
+			printf(", sticky-address");
+		printf("\n");
+	}
+	if (opts & PF_OPT_VERBOSE2) {
+		printf("   id: %016llx creatorid: %08x%s\n",
+		    (unsigned long long int)pf_state_counter_from_pfsync(s->id),
+		    ntohl(s->creatorid),
+		    ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
+	}
+}
+
+int
+unmask(struct pf_addr *m, sa_family_t af)
+{
+	int i = 31, j = 0, b = 0;
+	u_int32_t tmp;
+
+	while (j < 4 && m->addr32[j] == 0xffffffff) {
+		b += 32;
+		j++;
+	}
+	if (j < 4) {
+		tmp = ntohl(m->addr32[j]);
+		for (i = 31; tmp & (1 << i); --i)
+			b++;
+	}
+	return (b);
+}
--- a/dist/tcpdump/print-ip.c
+++ b/dist/tcpdump/print-ip.c
@ -1,4 +1,4 @@
-/*	$NetBSD: print-ip.c,v 1.7 2007/07/24 11:53:44 drochner Exp $	*/
+/*	$NetBSD: print-ip.c,v 1.8 2009/09/14 10:36:49 degroote Exp $	*/

 /*
 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@ -27,7 +27,7 @@
 static const char rcsid[] _U_ =
    "@(#) Header: /tcpdump/master/tcpdump/print-ip.c,v 1.149.2.8 2007/01/29 20:57:47 guy Exp (LBL)";
 #else
-__RCSID("$NetBSD: print-ip.c,v 1.7 2007/07/24 11:53:44 drochner Exp $");
+__RCSID("$NetBSD: print-ip.c,v 1.8 2009/09/14 10:36:49 degroote Exp $");
 #endif
 #endif

@ -525,6 +525,10 @@ again:
 		pgm_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
 		break;

+	case IPPROTO_PFSYNC:
+		pfsync_ip_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
+		break;
+
 	default:
 		if ((proto = getprotobynumber(ipds->nh)) != NULL)
 			ND_PRINT((ndo, " %s", proto->p_name));
--- a/dist/tcpdump/print-pfsync.c
+++ b/dist/tcpdump/print-pfsync.c
@ -0,0 +1,222 @@
+/*	$NetBSD: print-pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $	*/
+/*	$OpenBSD: print-pfsync.c,v 1.30 2007/05/31 04:16:26 mcbride Exp $	*/
+
+/*
+ * Copyright (c) 2002 Michael Shalayeff
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+#ifndef lint
+#if 0
+static const char rcsid[] =
+    "@(#) $Header: /cvsroot/src/dist/tcpdump/Attic/print-pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $";
+#else
+__RCSID("$NetBSD: print-pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $");
+#endif
+#endif
+
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/file.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+
+#ifdef __STDC__
+struct rtentry;
+#endif
+#include <net/if.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
+
+#include <ctype.h>
+#include <netdb.h>
+#include <pcap.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "interface.h"
+#include "addrtoname.h"
+#include "pfctl_parser.h"
+#include "pfctl.h"
+
+const char *pfsync_acts[] = { PFSYNC_ACTIONS };
+
+static void pfsync_print(struct pfsync_header *, int);
+
+u_int
+pfsync_if_print(const struct pcap_pkthdr *h, const u_char *p)
+{
+	u_int caplen = h->caplen;
+
+	ts_print(&h->ts);
+
+	if (caplen < PFSYNC_HDRLEN) {
+		printf("[|pfsync]");
+		goto out;
+	}
+
+	pfsync_print((struct pfsync_header *)p,
+	    caplen - sizeof(struct pfsync_header));
+out:
+	if (xflag) {
+		default_print((const u_char *)h, caplen);
+	}
+	//putchar('\n');
+
+	return 0;
+}
+
+void
+pfsync_ip_print(const u_char *bp, u_int len, const u_char *bp2 __unused)
+{
+	struct pfsync_header *hdr = (struct pfsync_header *)bp;
+
+	if (len < PFSYNC_HDRLEN)
+		printf("[|pfsync]");
+	else
+		pfsync_print(hdr, (len - sizeof(struct pfsync_header)));
+	//putchar('\n');
+}
+
+static void
+pfsync_print(struct pfsync_header *hdr, int len)
+{
+	struct pfsync_state *s;
+	struct pfsync_state_upd *u;
+	struct pfsync_state_del *d;
+	struct pfsync_state_clr *c;
+	struct pfsync_state_upd_req *r;
+	struct pfsync_state_bus *b;
+	struct pfsync_tdb *t;
+	int i, flags = 0, min, sec;
+	u_int64_t id;
+
+	if (eflag)
+		printf("PFSYNCv%d count %d: ",
+		    hdr->version, hdr->count);
+
+	if (hdr->action < PFSYNC_ACT_MAX)
+		printf("%s %s:", (vflag == 0) ? "PFSYNC" : "", 
+				pfsync_acts[hdr->action]);
+	else
+		printf("%s %d?:", (vflag == 0) ? "PFSYNC" : "",
+				hdr->action);
+
+	if (!vflag) 
+		return;
+	if (vflag)
+		flags |= PF_OPT_VERBOSE;
+	if (vflag > 1)
+		flags |= PF_OPT_VERBOSE2;
+	if (!nflag)
+		flags |= PF_OPT_USEDNS;
+
+	switch (hdr->action) {
+	case PFSYNC_ACT_CLR:
+		if (sizeof(*c) <= len) {
+			c = (void *)((char *)hdr + PFSYNC_HDRLEN);
+			printf("\n\tcreatorid: %08x", htonl(c->creatorid));
+			if (c->ifname[0] != '\0')
+				printf(" interface: %s", c->ifname);
+		}
+	case PFSYNC_ACT_INS:
+	case PFSYNC_ACT_UPD:
+	case PFSYNC_ACT_DEL:
+		for (i = 1, s = (void *)((char *)hdr + PFSYNC_HDRLEN);
+		    i <= hdr->count && i * sizeof(*s) <= len; i++, s++) {
+
+			putchar('\n');
+			print_state(s, flags);
+			if (vflag > 1 && hdr->action == PFSYNC_ACT_UPD)
+				printf(" updates: %d", s->updates);
+		}
+		break;
+	case PFSYNC_ACT_UPD_C:
+		for (i = 1, u = (void *)((char *)hdr + PFSYNC_HDRLEN);
+		    i <= hdr->count && i * sizeof(*u) <= len; i++, u++) {
+			memcpy(&id, &u->id, sizeof(id));
+			printf("\n\tid: %" PRIu64 " creatorid: %08x",
+			    be64toh(id), ntohl(u->creatorid));
+			if (vflag > 1)
+				printf(" updates: %d", u->updates);
+		}
+		break;
+	case PFSYNC_ACT_DEL_C:
+		for (i = 1, d = (void *)((char *)hdr + PFSYNC_HDRLEN);
+		    i <= hdr->count && i * sizeof(*d) <= len; i++, d++) {
+			memcpy(&id, &d->id, sizeof(id));
+			printf("\n\tid: %" PRIu64 " creatorid: %08x",
+			    be64toh(id), ntohl(d->creatorid));
+		}
+		break;
+	case PFSYNC_ACT_UREQ:
+		for (i = 1, r = (void *)((char *)hdr + PFSYNC_HDRLEN);
+		    i <= hdr->count && i * sizeof(*r) <= len; i++, r++) {
+			memcpy(&id, &r->id, sizeof(id));
+			printf("\n\tid: %" PRIu64 " creatorid: %08x",
+			    be64toh(id), ntohl(r->creatorid));
+		}
+		break;
+	case PFSYNC_ACT_BUS:
+		if (sizeof(*b) <= len) {
+			b = (void *)((char *)hdr + PFSYNC_HDRLEN);
+			printf("\n\tcreatorid: %08x", htonl(b->creatorid));
+			sec = b->endtime % 60;
+			b->endtime /= 60;
+			min = b->endtime % 60;
+			b->endtime /= 60;
+			printf(" age %.2u:%.2u:%.2u", b->endtime, min, sec);
+			switch (b->status) {
+			case PFSYNC_BUS_START:
+				printf(" status: start");
+				break;
+			case PFSYNC_BUS_END:
+				printf(" status: end");
+				break;
+			default:
+				printf(" status: ?");
+				break;
+			}
+		}
+		break;
+	case PFSYNC_ACT_TDB_UPD:
+		for (i = 1, t = (void *)((char *)hdr + PFSYNC_HDRLEN);
+		    i <= hdr->count && i * sizeof(*t) <= len; i++, t++)
+			printf("\n\tspi: %08x rpl: %u cur_bytes: %llu",
+			    htonl(t->spi), htonl(t->rpl),
+			    be64toh(t->cur_bytes));
+			/* XXX add dst and sproto? */
+		break;
+	default:
+		break;
+	}
+}
--- a/dist/tcpdump/tcpdump.c
+++ b/dist/tcpdump/tcpdump.c
@ -1,4 +1,4 @@
-/*	$NetBSD: tcpdump.c,v 1.8 2007/07/24 11:53:50 drochner Exp $	*/
+/*	$NetBSD: tcpdump.c,v 1.9 2009/09/14 10:36:49 degroote Exp $	*/

 /*
 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000
@ -36,7 +36,7 @@ The Regents of the University of California.  All rights reserved.\n";
 static const char rcsid[] _U_ =
    "@(#) Header: /tcpdump/master/tcpdump/tcpdump.c,v 1.253.2.12 2006/02/01 14:39:56 hannes Exp (LBL)";
 #else
-__RCSID("$NetBSD: tcpdump.c,v 1.8 2007/07/24 11:53:50 drochner Exp $");
+__RCSID("$NetBSD: tcpdump.c,v 1.9 2009/09/14 10:36:49 degroote Exp $");
 #endif
 #endif

@ -200,6 +200,9 @@ static struct printer printers[] = {
 #ifdef DLT_PFLOG
 	{ pflog_if_print, 	DLT_PFLOG },
 #endif
+#ifdef DLT_PFSYNC
+	{ pfsync_if_print,  DLT_PFSYNC },
+#endif
 #ifdef DLT_FR
 	{ fr_if_print,		DLT_FR },
 #endif
--- a/distrib/sets/lists/man/mi
+++ b/distrib/sets/lists/man/mi
@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1157 2009/09/08 07:08:01 skrll Exp $
+# $NetBSD: mi,v 1.1158 2009/09/14 10:36:49 degroote Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@ -1285,6 +1285,7 @@
 ./usr/share/man/cat4/pdcsata.0			man-sys-catman		.cat
 ./usr/share/man/cat4/pf.0			man-pf-catman		pf,.cat
 ./usr/share/man/cat4/pflog.0			man-pf-catman		pf,.cat
+./usr/share/man/cat4/pfsync.0			man-pf-catman		pf,.cat
 ./usr/share/man/cat4/phy.0			man-sys-catman		.cat
 ./usr/share/man/cat4/piixide.0			man-sys-catman		.cat
 ./usr/share/man/cat4/piixpcib.0			man-sys-catman		.cat
@ -3851,6 +3852,7 @@
 ./usr/share/man/html4/pdcsata.html		man-sys-htmlman		html
 ./usr/share/man/html4/pf.html			man-pf-htmlman		pf,html
 ./usr/share/man/html4/pflog.html		man-pf-htmlman		pf,html
+./usr/share/man/html4/pfsync.html		man-pf-htmlman		pf,html
 ./usr/share/man/html4/phy.html			man-sys-htmlman		html
 ./usr/share/man/html4/piixide.html		man-sys-htmlman		html
 ./usr/share/man/html4/piixpcib.html		man-sys-htmlman		html
@ -6295,6 +6297,7 @@
 ./usr/share/man/man4/pdcsata.4			man-sys-man		.man
 ./usr/share/man/man4/pf.4			man-pf-man		pf,.man
 ./usr/share/man/man4/pflog.4			man-pf-man		pf,.man
+./usr/share/man/man4/pfsync.4			man-pf-man		pf,.man
 ./usr/share/man/man4/phy.4			man-sys-man		.man
 ./usr/share/man/man4/piixide.4			man-sys-man		.man
 ./usr/share/man/man4/piixpcib.4			man-sys-man		.man
--- a/etc/protocols
+++ b/etc/protocols
@ -1,4 +1,4 @@
-# $NetBSD: protocols,v 1.20 2008/11/30 08:49:25 tsutsui Exp $
+# $NetBSD: protocols,v 1.21 2009/09/14 10:36:49 degroote Exp $
 # See also: protocols(5), http://www.sethwklein.net/projects/iana-etc/
 #
 # 
@ -157,6 +157,7 @@ mobility     135 Mobility     # Header                               [RFC3775]
 udplite      136 UDPLite      # [RFC3828]
 mpls-in-ip   137 MPLS-in-IP   # [RFC4023]
 #    138-252 Unassigned                                       [IANA]
+pfsync		 240 PFSYNC		  # PF Synchronization
 use          253 Use          # for experimentation and testing           [RFC3692] 
 use          254 Use          # for experimentation and testing           [RFC3692] 
 #    255                 Reserved                             [IANA]
--- a/sbin/ifconfig/Makefile.inc
+++ b/sbin/ifconfig/Makefile.inc
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.3 2009/05/26 21:58:31 pooka Exp $
+#	$NetBSD: Makefile.inc,v 1.4 2009/09/14 10:36:49 degroote Exp $

 PROG=	ifconfig

@ -19,3 +19,6 @@ SRCS+= parse.c
 SRCS+= tunnel.c
 SRCS+= util.c
 SRCS+= vlan.c
+
+CPPFLAGS+=-I ${.CURDIR}/../../sys/dist/pf/ 
+SRCS+= pfsync.c
--- a/sbin/ifconfig/ifconfig.8
+++ b/sbin/ifconfig/ifconfig.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: ifconfig.8,v 1.100 2009/08/07 20:13:12 dyoung Exp $
+.\"	$NetBSD: ifconfig.8,v 1.101 2009/09/14 10:36:49 degroote Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -723,6 +723,37 @@ support it.
 .It Cm -tso6
 Disable hardware-assisted TCP/IPv6 segmentation on interfaces that
 support it.
+.It Cm maxupd Ar n
+If the driver is a
+.Xr pfsync 4
+pseudo-device, indicate the maximum number
+of updates for a single state which can be collapsed into one.
+This is an 8-bit number; the default value is 128.
+.It Cm syncdev Ar iface
+If the driver is a
+.Xr pfsync 4
+pseudo-device, use the specified interface
+to send and receive pfsync state synchronisation messages.
+.It Fl syncdev
+If the driver is a
+.Xr pfsync 4
+pseudo-device, stop sending pfsync state
+synchronisation messages over the network.
+.It Cm syncpeer Ar peer_address
+If the driver is a
+.Xr pfsync 4
+pseudo-device, make the pfsync link point-to-point rather than using
+multicast to broadcast the state synchronisation messages.
+The peer_address is the IP address of the other host taking part in
+the pfsync cluster.
+With this option,
+.Xr pfsync 4
+traffic can be protected using
+.Xr ipsec 4 .
+.It Fl syncpeer
+If the driver is a
+.Xr pfsync 4
+pseudo-device, broadcast the packets using multicast.
 .El
 .Pp
 .Nm
@ -848,6 +879,7 @@ tried to alter an interface's configuration.
 .Xr carp 4 ,
 .Xr ifmedia 4 ,
 .Xr netintro 4 ,
+.Xr pfsync 4 ,
 .Xr vlan 4 ,
 .Xr ifconfig.if 5 ,
 .\" .Xr eon 5 ,
--- a/sbin/ifconfig/pfsync.c
+++ b/sbin/ifconfig/pfsync.c
@ -0,0 +1,229 @@
+/*	$NetBSD: pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $	*/
+/*-
+ * Copyright (c) 2009 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+#ifndef lint
+__RCSID("$NetBSD: pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $");
+#endif /* not lint */
+
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
+
+#include <arpa/inet.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <err.h>
+#include <errno.h>
+#include <util.h>
+
+#include "env.h"
+#include "parse.h"
+#include "extern.h"
+
+static status_func_t status;
+static usage_func_t usage;
+static cmdloop_branch_t branch;
+
+static void pfsync_constructor(void) __attribute__((constructor));
+static void pfsync_status(prop_dictionary_t, prop_dictionary_t);
+static int setpfsync_maxupd(prop_dictionary_t, prop_dictionary_t);
+static int setpfsync_peer(prop_dictionary_t, prop_dictionary_t);
+static int setpfsyncdev(prop_dictionary_t, prop_dictionary_t);
+
+struct pinteger parse_maxupd = PINTEGER_INITIALIZER1(&parse_maxupd, "maxupd",
+    0, 255, 10, setpfsync_maxupd, "maxupd", &command_root.pb_parser);
+
+struct piface pfsyncdev = PIFACE_INITIALIZER(&pfsyncdev, "syncdev", setpfsyncdev,
+    "syncdev", &command_root.pb_parser);
+
+struct paddr parse_sync_peer = PADDR_INITIALIZER(&parse_sync_peer, "syncpeer",
+		setpfsync_peer, "syncpeer", NULL, NULL, NULL, &command_root.pb_parser);
+
+static const struct kwinst pfsynckw[] = {
+	{.k_word = "maxupd", .k_nextparser = &parse_maxupd.pi_parser},
+	{.k_word = "syncdev", .k_nextparser = &pfsyncdev.pif_parser},
+	{.k_word = "-syncdev", .k_key = "syncdev", .k_type = KW_T_STR,
+	    .k_str = "", .k_exec = setpfsyncdev,
+	    .k_nextparser = &command_root.pb_parser},
+	{.k_word = "syncpeer", .k_nextparser = &parse_sync_peer.pa_parser},
+	{.k_word = "-syncpeer", .k_key = "syncpeer", .k_type = KW_T_STR,
+	    .k_str = "", .k_exec = setpfsync_peer,
+	    .k_nextparser = &command_root.pb_parser}
+};
+
+struct pkw pfsync = PKW_INITIALIZER(&pfsync, "pfsync", NULL, NULL,
+    pfsynckw, __arraycount(pfsynckw), NULL);
+
+static void
+pfsync_set(prop_dictionary_t env, struct pfsyncreq *pfsyncr)
+{
+	if (indirect_ioctl(env, SIOCSETPFSYNC, pfsyncr) == -1)
+		err(EXIT_FAILURE, "SIOCSETPFSYNC");
+}
+
+static int
+pfsync_get1(prop_dictionary_t env, struct pfsyncreq *pfsyncr)
+{
+	memset(pfsyncr, 0, sizeof(*pfsyncr));
+
+	return indirect_ioctl(env, SIOCGETPFSYNC, pfsyncr);
+}
+
+static void
+pfsync_get(prop_dictionary_t env, struct pfsyncreq *pfsyncr)
+{
+	if (pfsync_get1(env, pfsyncr) == -1)
+		err(EXIT_FAILURE, "SIOCGETPFSYNC");
+}
+
+static void
+pfsync_status(prop_dictionary_t env, prop_dictionary_t oenv)
+{
+	struct pfsyncreq pfsyncr;
+
+	if (pfsync_get1(env, &pfsyncr) == -1)
+		return;
+
+	if (pfsyncr.pfsyncr_syncdev[0] != '\0') {
+		printf("\tpfsync: syncdev: %s ", pfsyncr.pfsyncr_syncdev);
+		if (pfsyncr.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP)
+			printf("syncpeer: %s ",
+			    inet_ntoa(pfsyncr.pfsyncr_syncpeer));
+		printf("maxupd: %d\n", pfsyncr.pfsyncr_maxupdates);
+	}
+}
+
+/* ARGSUSED */
+int
+setpfsync_maxupd(prop_dictionary_t env, prop_dictionary_t oenv)
+{
+	struct pfsyncreq pfsyncr;
+	uint8_t maxupd;
+
+	if (!prop_dictionary_get_uint8(env, "maxupd", &maxupd)) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	pfsync_get(env, &pfsyncr);
+
+	pfsyncr.pfsyncr_maxupdates = maxupd;
+
+	pfsync_set(env, &pfsyncr);
+	return 0;
+}
+
+
+/* ARGSUSED */
+int
+setpfsyncdev(prop_dictionary_t env, prop_dictionary_t oenv)
+{
+	struct pfsyncreq pfsyncr;
+	const char *dev;
+
+	if (!prop_dictionary_get_cstring_nocopy(env, "syncdev", &dev)) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	pfsync_get(env, &pfsyncr);
+
+	strlcpy(pfsyncr.pfsyncr_syncdev, dev, sizeof(pfsyncr.pfsyncr_syncdev));
+
+	pfsync_set(env, &pfsyncr);
+	return 0;
+}
+
+/* ARGSUSED */
+int
+setpfsync_peer(prop_dictionary_t env, prop_dictionary_t oenv)
+{
+	struct pfsyncreq pfsyncr;
+	prop_data_t data;
+	const struct paddr_prefix *peerpfx;
+	const struct sockaddr_in *s;
+
+	data = (prop_data_t)prop_dictionary_get(env, "syncpeer");
+	if (data == NULL) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	pfsync_get(env, &pfsyncr);
+
+	peerpfx = prop_data_data_nocopy(data);
+
+	if (peerpfx != NULL) {
+		// Only AF_INET is supported for now
+		if (peerpfx->pfx_addr.sa_family != AF_INET) {
+			errno = ENOENT;
+			return -1;
+		}
+
+
+		s = (const struct sockaddr_in*)&peerpfx->pfx_addr;
+
+		memcpy(&pfsyncr.pfsyncr_syncpeer.s_addr, &s->sin_addr,
+		    MIN(sizeof(pfsyncr.pfsyncr_syncpeer.s_addr),
+		    peerpfx->pfx_addr.sa_len));	   
+	} else {
+		memset(&pfsyncr.pfsyncr_syncpeer.s_addr, 0,
+		    sizeof(pfsyncr.pfsyncr_syncpeer.s_addr));
+	}
+
+	pfsync_set(env, &pfsyncr);
+
+	return 0;
+}
+
+static void
+pfsync_usage(prop_dictionary_t env)
+{
+	fprintf(stderr,
+	    "\t[ maxupd n ] [ syncdev iface ] [syncpeer peer_addr]\n");
+}
+
+static void
+pfsync_constructor(void)
+{
+	cmdloop_branch_init(&branch, &pfsync.pk_parser);
+	register_cmdloop_branch(&branch);
+	status_func_init(&status, pfsync_status);
+	usage_func_init(&usage, pfsync_usage);
+	register_status(&status);
+	register_usage(&usage);
+}
--- a/sys/dist/pf/net/if_pfsync.c
+++ b/sys/dist/pf/net/if_pfsync.c
--- a/sys/dist/pf/net/if_pfsync.h
+++ b/sys/dist/pf/net/if_pfsync.h
@ -0,0 +1,284 @@
+/*	$NetBSD: if_pfsync.h,v 1.3 2009/09/14 10:36:49 degroote Exp $	*/
+/*	$OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $	*/
+
+/*
+ * Copyright (c) 2001 Michael Shalayeff
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _NET_IF_PFSYNC_H_
+#define _NET_IF_PFSYNC_H_
+
+#define  INADDR_PFSYNC_GROUP     __IPADDR(0xe00000f0)    /* 224.0.0.240 */
+
+#define PFSYNC_ID_LEN	sizeof(u_int64_t)
+
+struct pfsync_tdb {
+	u_int32_t	spi;
+	union sockaddr_union dst;
+	u_int32_t	rpl;
+	u_int64_t	cur_bytes;
+	u_int8_t	sproto;
+	u_int8_t	updates;
+	u_int8_t	pad[2];
+} __packed;
+
+struct pfsync_state_upd {
+	u_int32_t		id[2];
+	struct pfsync_state_peer	src;
+	struct pfsync_state_peer	dst;
+	u_int32_t		creatorid;
+	u_int32_t		expire;
+	u_int8_t		timeout;
+	u_int8_t		updates;
+	u_int8_t		pad[6];
+} __packed;
+
+struct pfsync_state_del {
+	u_int32_t		id[2];
+	u_int32_t		creatorid;
+	struct {
+		u_int8_t	state;
+	} src;
+	struct {
+		u_int8_t	state;
+	} dst;
+	u_int8_t		pad[2];
+} __packed;
+
+struct pfsync_state_upd_req {
+	u_int32_t		id[2];
+	u_int32_t		creatorid;
+	u_int32_t		pad;
+} __packed;
+
+struct pfsync_state_clr {
+	char			ifname[IFNAMSIZ];
+	u_int32_t		creatorid;
+	u_int32_t		pad;
+} __packed;
+
+struct pfsync_state_bus {
+	u_int32_t		creatorid;
+	u_int32_t		endtime;
+	u_int8_t		status;
+#define PFSYNC_BUS_START	1
+#define PFSYNC_BUS_END		2
+	u_int8_t		pad[7];
+} __packed;
+
+#ifdef _KERNEL
+
+union sc_statep {
+	struct pfsync_state	*s;
+	struct pfsync_state_upd	*u;
+	struct pfsync_state_del	*d;
+	struct pfsync_state_clr	*c;
+	struct pfsync_state_bus	*b;
+	struct pfsync_state_upd_req	*r;
+};
+
+union sc_tdb_statep {
+	struct pfsync_tdb	*t;
+};
+
+extern int	pfsync_sync_ok;
+
+struct pfsync_softc {
+	struct ifnet		 sc_if;
+	struct ifnet		*sc_sync_ifp;
+
+	struct ip_moptions	 sc_imo;
+	struct callout		 sc_tmo;
+	struct callout		 sc_tdb_tmo;
+	struct callout		 sc_bulk_tmo;
+	struct callout		 sc_bulkfail_tmo;
+	struct in_addr		 sc_sync_peer;
+	struct in_addr		 sc_sendaddr;
+	struct mbuf		*sc_mbuf;	/* current cumulative mbuf */
+	struct mbuf		*sc_mbuf_net;	/* current cumulative mbuf */
+    	struct mbuf		*sc_mbuf_tdb;	/* dito for TDB updates */
+	union sc_statep		 sc_statep;
+	union sc_statep		 sc_statep_net;
+	union sc_tdb_statep	 sc_statep_tdb;
+	u_int32_t		 sc_ureq_received;
+	u_int32_t		 sc_ureq_sent;
+	struct pf_state		*sc_bulk_send_next;
+	struct pf_state		*sc_bulk_terminator;
+	int			 sc_bulk_tries;
+	int			 sc_maxcount;	/* number of states in mtu */
+	int			 sc_maxupdates;	/* number of updates/state */
+};
+
+extern struct pfsync_softc	*pfsyncif;
+#endif
+
+
+struct pfsync_header {
+	u_int8_t version;
+#define	PFSYNC_VERSION	3
+	u_int8_t af;
+	u_int8_t action;
+#define	PFSYNC_ACT_CLR		0	/* clear all states */
+#define	PFSYNC_ACT_INS		1	/* insert state */
+#define	PFSYNC_ACT_UPD		2	/* update state */
+#define	PFSYNC_ACT_DEL		3	/* delete state */
+#define	PFSYNC_ACT_UPD_C	4	/* "compressed" state update */
+#define	PFSYNC_ACT_DEL_C	5	/* "compressed" state delete */
+#define	PFSYNC_ACT_INS_F	6	/* insert fragment */
+#define	PFSYNC_ACT_DEL_F	7	/* delete fragments */
+#define	PFSYNC_ACT_UREQ		8	/* request "uncompressed" state */
+#define PFSYNC_ACT_BUS		9	/* Bulk Update Status */
+#define PFSYNC_ACT_TDB_UPD	10	/* TDB replay counter update */
+#define	PFSYNC_ACT_MAX		11
+	u_int8_t count;
+	u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
+} __packed;
+
+#define PFSYNC_BULKPACKETS	1	/* # of packets per timeout */
+#define PFSYNC_MAX_BULKTRIES	12
+#define PFSYNC_HDRLEN	sizeof(struct pfsync_header)
+#define	PFSYNC_ACTIONS \
+	"CLR ST", "INS ST", "UPD ST", "DEL ST", \
+	"UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
+	"UPD REQ", "BLK UPD STAT", "TDB UPD"
+
+#define PFSYNC_DFLTTL		255
+
+#define PFSYNC_STAT_IPACKETS	0	/* total input packets, IPv4 */
+#define PFSYNC_STAT_IPACKETS6	1	/* total input packets, IPv6 */
+#define PFSYNC_STAT_BADIF		2	/* not the right interface */
+#define PFSYNC_STAT_BADTTL		3	/* TTL is not PFSYNC_DFLTTL */
+#define PFSYNC_STAT_HDROPS		4	/* packets shorter than hdr */
+#define PFSYNC_STAT_BADVER		5	/* bad (incl unsupp) version */
+#define PFSYNC_STAT_BADACT		6	/* bad action */
+#define PFSYNC_STAT_BADLEN		7	/* data length does not match */
+#define PFSYNC_STAT_BADAUTH		8	/* bad authentication */
+#define PFSYNC_STAT_STALE		9	/* stale state */
+#define PFSYNC_STAT_BADVAL		10	/* bad values */
+#define PFSYNC_STAT_BADSTATE	11	/* insert/lookup failed */
+#define PFSYNC_STAT_OPACKETS	12	/* total output packets, IPv4 */
+#define PFSYNC_STAT_OPACKETS6	13	/* total output packets, IPv6 */
+#define PFSYNC_STAT_ONOMEM		14	/* no memory for an mbuf */
+#define PFSYNC_STAT_OERRORS		15	/* ip output error */
+
+#define PFSYNC_NSTATS			16
+
+/*
+ * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
+ */
+struct pfsyncreq {
+	char		 pfsyncr_syncdev[IFNAMSIZ];
+	struct in_addr	 pfsyncr_syncpeer;
+	int		 pfsyncr_maxupdates;
+	int		 pfsyncr_authlevel;
+};
+
+
+/* for copies to/from network */
+#define pf_state_peer_hton(s,d) do {		\
+	(d)->seqlo = htonl((s)->seqlo);		\
+	(d)->seqhi = htonl((s)->seqhi);		\
+	(d)->seqdiff = htonl((s)->seqdiff);	\
+	(d)->max_win = htons((s)->max_win);	\
+	(d)->mss = htons((s)->mss);		\
+	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+	if ((s)->scrub) {						\
+		(d)->scrub.pfss_flags = 				\
+		    htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP);	\
+		(d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;		\
+		(d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
+		(d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;	\
+	}								\
+} while (0)
+
+#define pf_state_peer_ntoh(s,d) do {		\
+	(d)->seqlo = ntohl((s)->seqlo);		\
+	(d)->seqhi = ntohl((s)->seqhi);		\
+	(d)->seqdiff = ntohl((s)->seqdiff);	\
+	(d)->max_win = ntohs((s)->max_win);	\
+	(d)->mss = ntohs((s)->mss);		\
+	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+	if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && 	\
+	    (d)->scrub != NULL) {					\
+		(d)->scrub->pfss_flags =				\
+		    ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;	\
+		(d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;		\
+		(d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
+	}								\
+} while (0)
+
+#define pf_state_host_hton(s,d) do {				\
+	memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr));	\
+	(d)->port = (s)->port;					\
+} while (0)
+
+#define pf_state_host_ntoh(s,d) do {				\
+	memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr));	\
+	(d)->port = (s)->port;					\
+} while (0)
+
+#define pf_state_counter_hton(s,d) do {				\
+	d[0] = htonl((s>>32)&0xffffffff);			\
+	d[1] = htonl(s&0xffffffff);				\
+} while (0)
+
+#define pf_state_counter_ntoh(s,d) do {				\
+	d = ntohl(s[0]);					\
+	d = d<<32;						\
+	d += ntohl(s[1]);					\
+} while (0)
+
+#ifdef _KERNEL
+void pfsync_input(struct mbuf *, ...);
+int pfsync_clear_states(u_int32_t, char *);
+int pfsync_pack_state(u_int8_t, struct pf_state *, int);
+#define pfsync_insert_state(st)	do {				\
+	if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) ||	\
+	    (st->state_key->proto == IPPROTO_PFSYNC))			\
+		st->sync_flags |= PFSTATE_NOSYNC;		\
+	else if (!st->sync_flags)				\
+		pfsync_pack_state(PFSYNC_ACT_INS, (st), 	\
+		    PFSYNC_FLAG_COMPRESS);			\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
+#define pfsync_update_state(st) do {				\
+	if (!st->sync_flags)					\
+		pfsync_pack_state(PFSYNC_ACT_UPD, (st), 	\
+		    PFSYNC_FLAG_COMPRESS);			\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
+#define pfsync_delete_state(st) do {				\
+	if (!st->sync_flags)					\
+		pfsync_pack_state(PFSYNC_ACT_DEL, (st),		\
+		    PFSYNC_FLAG_COMPRESS);			\
+} while (0)
+#ifdef NOTYET
+int pfsync_update_tdb(struct tdb *, int);
+#endif /* NOTYET */
+#endif
+
+#endif /* _NET_IF_PFSYNC_H_ */
--- a/sys/dist/pf/net/pf.c
+++ b/sys/dist/pf/net/pf.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pf.c,v 1.56 2009/07/28 18:15:26 minskim Exp $	*/
+/*	$NetBSD: pf.c,v 1.57 2009/09/14 10:36:49 degroote Exp $	*/
 /*	$OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */

 /*
@ -37,16 +37,12 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.56 2009/07/28 18:15:26 minskim Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.57 2009/09/14 10:36:49 degroote Exp $");

 #include "bpfilter.h"
 #include "pflog.h"

-#ifndef __NetBSD__
 #include "pfsync.h"
-#else
-#define NPFSYNC	0
-#endif /* __NetBSD__ */

 #include <sys/param.h>
 #include <sys/systm.h>
--- a/sys/dist/pf/net/pf_ioctl.c
+++ b/sys/dist/pf/net/pf_ioctl.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pf_ioctl.c,v 1.35 2009/07/28 18:15:26 minskim Exp $	*/
+/*	$NetBSD: pf_ioctl.c,v 1.36 2009/09/14 10:36:50 degroote Exp $	*/
 /*	$OpenBSD: pf_ioctl.c,v 1.182 2007/06/24 11:17:13 mcbride Exp $ */

 /*
@ -37,18 +37,14 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.35 2009/07/28 18:15:26 minskim Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.36 2009/09/14 10:36:50 degroote Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #include "opt_pfil_hooks.h"
 #endif

-#ifndef __NetBSD__
 #include "pfsync.h"
-#else
-#define NPFSYNC 0
-#endif /* __NetBSD__ */

 #include <sys/param.h>
 #include <sys/systm.h>
--- a/sys/net/files.pf
+++ b/sys/net/files.pf
@ -1,11 +1,11 @@
-#	$NetBSD: files.pf,v 1.4 2008/06/18 09:06:28 yamt Exp $
+#	$NetBSD: files.pf,v 1.5 2009/09/14 10:36:50 degroote Exp $

 defpseudo pf:		ifnet
 defpseudo pflog:	ifnet
-#defpseudo pfsync:	ifnet
+defpseudo pfsync:	ifnet

 file	dist/pf/net/if_pflog.c		pflog		needs-flag
-#file	dist/pf/net/if_pfsync.c		pfsync		needs-flag
+file	dist/pf/net/if_pfsync.c		pfsync		needs-flag

 file	dist/pf/net/pf.c		pf		needs-flag
 file	dist/pf/net/pf_if.c		pf
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@ -1,4 +1,4 @@
-/*	$NetBSD: in.h,v 1.85 2009/07/17 22:02:54 minskim Exp $	*/
+/*	$NetBSD: in.h,v 1.86 2009/09/14 10:36:50 degroote Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1990, 1993
@ -103,6 +103,7 @@ typedef __sa_family_t	sa_family_t;
 #define	IPPROTO_IPCOMP		108		/* IP Payload Comp. Protocol */
 #define	IPPROTO_VRRP		112		/* VRRP RFC 2338 */
 #define	IPPROTO_CARP		112		/* Common Address Resolution Protocol */
+#define IPPROTO_PFSYNC      240     /* PFSYNC */
 #define	IPPROTO_RAW		255		/* raw IP packet */
 #define	IPPROTO_MAX		256

--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@ -1,4 +1,4 @@
-/*	$NetBSD: in_proto.c,v 1.97 2009/02/28 18:31:12 pooka Exp $	*/
+/*	$NetBSD: in_proto.c,v 1.98 2009/09/14 10:36:50 degroote Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.97 2009/02/28 18:31:12 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.98 2009/09/14 10:36:50 degroote Exp $");

 #include "opt_mrouting.h"
 #include "opt_eon.h"			/* ISO CLNL over IP */
@ -144,6 +144,12 @@ __KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.97 2009/02/28 18:31:12 pooka Exp $");
 #include <netinet/ip_carp.h>
 #endif

+#include "pfsync.h"
+#if NPFSYNC > 0
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
+#endif
+
 #include "etherip.h"
 #if NETHERIP > 0
 #include <netinet/ip_etherip.h>
@ -358,6 +364,17 @@ const struct protosw inetsw[] = {
 	.pr_usrreq = rip_usrreq,
 },
 #endif /* NCARP > 0 */
+#if NPFSYNC > 0
+{	.pr_type = SOCK_RAW,
+	.pr_domain = &inetdomain,
+	.pr_protocol = IPPROTO_PFSYNC,
+	.pr_flags	 = PR_ATOMIC|PR_ADDR,
+	.pr_input	 = pfsync_input,
+	.pr_output	 = rip_output,
+	.pr_ctloutput = rip_ctloutput,
+	.pr_usrreq	 = rip_usrreq,
+},
+#endif /* NPFSYNC > 0 */
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_IGMP,
--- a/sys/rump/librump/rumpnet/opt/pfsync.h
+++ b/sys/rump/librump/rumpnet/opt/pfsync.h
@ -0,0 +1,2 @@
+/*	$NetBSD: pfsync.h,v 1.1 2009/09/14 10:36:50 degroote Exp $	*/
+
--- a/sys/sys/sockio.h
+++ b/sys/sys/sockio.h
@ -1,4 +1,4 @@
-/*	$NetBSD: sockio.h,v 1.28 2009/01/11 02:45:55 christos Exp $	*/
+/*	$NetBSD: sockio.h,v 1.29 2009/09/14 10:36:50 degroote Exp $	*/

 /*-
 * Copyright (c) 1982, 1986, 1990, 1993, 1994
@ -129,4 +129,7 @@
 #define	SIOCZIFDATA	_IOWR('i', 134, struct ifdatareq) /* get if_data then
 							     zero ctrs*/

+#define	SIOCSETPFSYNC	_IOW('i', 247, struct ifreq)	
+#define	SIOCGETPFSYNC	_IOWR('i', 248, struct ifreq)
+
 #endif /* !_SYS_SOCKIO_H_ */
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.28 2007/05/28 12:06:29 tls Exp $
+#	$NetBSD: Makefile,v 1.29 2009/09/14 10:36:50 degroote Exp $
 #	from: @(#)Makefile	8.1 (Berkeley) 6/12/93

 .include <bsd.own.mk>
@ -9,12 +9,13 @@ PROG=	netstat
 SRCS=	atalk.c bpf.c fast_ipsec.c if.c inet.c inet6.c ipsec.c iso.c \
 	main.c mbuf.c mroute.c mroute6.c show.c route.c tp_astring.c \
 	unix.c
-.PATH:	${NETBSDSRCDIR}/sys/netiso
+.PATH:	${NETBSDSRCDIR}/sys/netiso 
 BINGRP=	kmem
 BINMODE=2555
 LDADD=	-lkvm
 DPADD=	${LIBKVM}
 CPPFLAGS+= -DIPSEC
+CPPFLAGS+= -I${NETBSDSRCDIR}/sys/dist/pf

 .if (${USE_INET6} != "no")
 CPPFLAGS+= -DINET6
--- a/usr.bin/netstat/inet.c
+++ b/usr.bin/netstat/inet.c
@ -1,4 +1,4 @@
-/*	$NetBSD: inet.c,v 1.90 2009/04/12 16:08:37 lukem Exp $	*/
+/*	$NetBSD: inet.c,v 1.91 2009/09/14 10:36:50 degroote Exp $	*/

 /*
 * Copyright (c) 1983, 1988, 1993
@ -34,7 +34,7 @@
 #if 0
 static char sccsid[] = "from: @(#)inet.c	8.4 (Berkeley) 4/20/94";
 #else
-__RCSID("$NetBSD: inet.c,v 1.90 2009/04/12 16:08:37 lukem Exp $");
+__RCSID("$NetBSD: inet.c,v 1.91 2009/09/14 10:36:50 degroote Exp $");
 #endif
 #endif /* not lint */

@ -76,6 +76,8 @@ __RCSID("$NetBSD: inet.c,v 1.90 2009/04/12 16:08:37 lukem Exp $");
 #include <netinet/udp.h>
 #include <netinet/ip_carp.h>
 #include <netinet/udp_var.h>
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>

 #include <arpa/inet.h>
 #include <kvm.h>
@ -684,6 +686,52 @@ carp_stats(u_long off, const char *name)
 #undef p2
 }

+/*
+ * Dump PFSYNC statistics structure.
+ */
+void
+pfsync_stats(u_long off, const char *name)
+{
+	uint64_t pfsyncstat[PFSYNC_NSTATS];
+
+	if (use_sysctl) {
+		size_t size = sizeof(pfsyncstat);
+
+		if (sysctlbyname("net.inet.pfsync.stats", pfsyncstat, &size,
+				 NULL, 0) == -1)
+			return;
+	} else {
+		warnx("%s stats not available via KVM.", name);
+		return;
+	}
+
+	printf("%s:\n", name);
+
+#define p(f, m) if (pfsyncstat[f] || sflag <= 1) \
+	printf(m, pfsyncstat[f], plural(pfsyncstat[f]))
+#define p2(f, m) if (pfsyncstat[f] || sflag <= 1) \
+	printf(m, pfsyncstat[f])
+
+	p(PFSYNC_STAT_IPACKETS, "\t%" PRIu64 " packet%s received (IPv4)\n");
+	p(PFSYNC_STAT_IPACKETS6,"\t%" PRIu64 " packet%s received (IPv6)\n");
+	p(PFSYNC_STAT_BADIF, "\t\t%" PRIu64 " packet%s discarded for bad interface\n");
+	p(PFSYNC_STAT_BADTTL, "\t\t%" PRIu64 " packet%s discarded for bad ttl\n");
+	p(PFSYNC_STAT_HDROPS, "\t\t%" PRIu64 " packet%s shorter than header\n");
+	p(PFSYNC_STAT_BADVER, "\t\t%" PRIu64 " packet%s discarded for bad version\n");
+	p(PFSYNC_STAT_BADAUTH, "\t\t%" PRIu64 " packet%s discarded for bad HMAC\n");
+	p(PFSYNC_STAT_BADACT,"\t\t%" PRIu64 " packet%s discarded for bad action\n");
+	p(PFSYNC_STAT_BADLEN, "\t\t%" PRIu64 " packet%s discarded for short packet\n");
+	p(PFSYNC_STAT_BADVAL, "\t\t%" PRIu64 " state%s discarded for bad values\n");
+	p(PFSYNC_STAT_STALE, "\t\t%" PRIu64 " stale state%s\n");
+	p(PFSYNC_STAT_BADSTATE, "\t\t%" PRIu64 " failed state lookup/insert%s\n");
+	p(PFSYNC_STAT_OPACKETS, "\t%" PRIu64 " packet%s sent (IPv4)\n");
+	p(PFSYNC_STAT_OPACKETS6, "\t%" PRIu64 " packet%s sent (IPv6)\n");
+	p2(PFSYNC_STAT_ONOMEM, "\t\t%" PRIu64 " send failed due to mbuf memory error\n");
+	p2(PFSYNC_STAT_OERRORS, "\t\t%" PRIu64 " send error\n");
+#undef p
+#undef p2
+}
+
 /*
 * Dump PIM statistics structure.
 */
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.72 2009/09/13 02:53:17 elad Exp $	*/
+/*	$NetBSD: main.c,v 1.73 2009/09/14 10:36:51 degroote Exp $	*/

 /*
 * Copyright (c) 1983, 1988, 1993
@ -39,7 +39,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1988, 1993\
 #if 0
 static char sccsid[] = "from: @(#)main.c	8.4 (Berkeley) 3/1/94";
 #else
-__RCSID("$NetBSD: main.c,v 1.72 2009/09/13 02:53:17 elad Exp $");
+__RCSID("$NetBSD: main.c,v 1.73 2009/09/14 10:36:51 degroote Exp $");
 #endif
 #endif /* not lint */

@ -198,6 +198,8 @@ struct nlist nl[] = {
 	{ "_pimstat", 0, 0, 0, 0 },
 #define N_CARPSTAT	65
 	{ "_carpstats", 0, 0, 0, 0 },	/* not available via kvm */
+#define N_PFSYNCSTAT	66
+	{ "_pfsyncstats", 0, 0, 0, 0},  /* not available via kvm */
 	{ "", 0, 0, 0, 0 },
 };

@ -233,6 +235,8 @@ struct protox {
 #endif
 	{ -1,		N_PIMSTAT,	1,	0,
 	  pim_stats,	NULL,		0,	"pim" },
+	{ -1,		N_PFSYNCSTAT,  1,  0,
+	  pfsync_stats,  NULL,		0,  "pfsync" },	
 	{ -1,		-1,		0,	0,
 	  0,		NULL,		0,	0 }
 };
--- a/usr.bin/netstat/netstat.h
+++ b/usr.bin/netstat/netstat.h
@ -1,4 +1,4 @@
-/*	$NetBSD: netstat.h,v 1.38 2009/09/13 02:53:17 elad Exp $	*/
+/*	$NetBSD: netstat.h,v 1.39 2009/09/14 10:36:51 degroote Exp $	*/

 /*
 * Copyright (c) 1992, 1993
@ -78,6 +78,7 @@ void	igmp_stats __P((u_long, const char *));
 void	pim_stats __P((u_long, const char *));
 void	arp_stats __P((u_long, const char *));
 void	carp_stats __P((u_long, const char *));
+void	pfsync_stats __P((u_long, const char*));
 #ifdef IPSEC
 /* run-time selector for which  implementation (KAME, FAST_IPSEC) to show */
 void	ipsec_switch __P((u_long, const char *));
--- a/usr.sbin/pf/man/man4/Makefile
+++ b/usr.sbin/pf/man/man4/Makefile
@ -1,9 +1,9 @@
-#	$NetBSD: Makefile,v 1.1 2004/11/14 11:26:48 yamt Exp $
+#	$NetBSD: Makefile,v 1.2 2009/09/14 10:36:51 degroote Exp $

 .include <bsd.own.mk>

 .PATH:	${NETBSDSRCDIR}/dist/pf/share/man/man4

-MAN=	pf.4 pflog.4
+MAN=	pf.4 pflog.4 pfsync.4

 .include <bsd.man.mk>
--- a/usr.sbin/tcpdump/Makefile
+++ b/usr.sbin/tcpdump/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.49 2009/04/22 15:23:09 lukem Exp $	
+#	$NetBSD: Makefile,v 1.50 2009/09/14 10:36:51 degroote Exp $	

 WARNS?=	1	# XXX: out of date third-party program 

@ -13,6 +13,7 @@ PROG=	tcpdump
 MAN=	tcpdump.8 

 SRCS=	addrtoname.c cpack.c gmpls.c gmt2local.c machdep.c oui.c parsenfsfh.c \
+		pf_print_state.c \
 	print-802_11.c print-ah.c print-aodv.c print-ap1394.c print-arcnet.c \
 	print-arp.c \
 	print-ascii.c print-atalk.c print-atm.c print-bfd.c print-bgp.c \
@ -24,7 +25,7 @@ SRCS=	addrtoname.c cpack.c gmpls.c gmt2local.c machdep.c oui.c parsenfsfh.c \
 	print-ipx.c print-isakmp.c print-isoclns.c print-krb.c \
 	print-l2tp.c print-lane.c print-ldp.c print-llc.c print-lwres.c \
 	print-msdp.c print-mobile.c print-mobility.c print-mpls.c print-nfs.c \
-	print-ntp.c print-null.c print-ospf.c print-pflog.c \
+	print-ntp.c print-null.c print-ospf.c print-pflog.c print-pfsync.c \
 	print-pim.c print-ppp.c print-pppoe.c print-pptp.c \
 	print-radius.c print-raw.c print-rip.c print-rsvp.c print-rx.c \
 	print-sctp.c print-sl.c print-sll.c print-smb.c print-snmp.c \
@ -51,6 +52,7 @@ LDADD+=	-lpcap -ll
 DPADD+=	${LIBPCAP} ${LIBL}

 CPPFLAGS+=	-I${.CURDIR} -I${SRCDIR} -I${NETBSDSRCDIR}/sys/dist/pf
+CPPFLAGS+=  -I${NETBSDSRCDIR}/dist/pf/sbin/pfctl

 AWKS= atime.awk packetdat.awk stime.awk send-ack.awk
				`@ -0,0 +1,2 @@`
				`/* $NetBSD: pfsync.h,v 1.1 2009/09/14 10:36:50 degroote Exp $ */`