Add SA replay counter synchronization to pfsync(4). Required for IPsec

failover gateways. ok mcbride@, "looks good" hshoexer@

8 files changed, 306 insertions, 24 deletions

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 350172fad55..762f9b32106 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.47 2005/05/21 21:03:57 henning Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.48 2005/05/28 15:10:07 ho Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -85,6 +85,7 @@ struct pfsyncstats	pfsyncstats;
 void	pfsyncattach(int);
 void	pfsync_setmtu(struct pfsync_softc *, int);
 int	pfsync_insert_net_state(struct pfsync_state *);
+void	pfsync_update_net_tdb(struct pfsync_tdb *);
 int	pfsyncoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
 	    struct rtentry *);
 int	pfsyncioctl(struct ifnet *, u_long, caddr_t);
@@ -93,7 +94,10 @@ void	pfsyncstart(struct ifnet *);
 struct mbuf *pfsync_get_mbuf(struct pfsync_softc *, u_int8_t, void **);
 int	pfsync_request_update(struct pfsync_state_upd *, struct in_addr *);
 int	pfsync_sendout(struct pfsync_softc *);
+int	pfsync_tdb_sendout(struct pfsync_softc *);
+int	pfsync_sendout_mbuf(struct pfsync_softc *, struct mbuf *);
 void	pfsync_timeout(void *);
+void	pfsync_tdb_timeout(void *);
 void	pfsync_send_bus(struct pfsync_softc *, u_int8_t);
 void	pfsync_bulk_update(void *);
 void	pfsync_bulkfail(void *);
@@ -110,8 +114,10 @@ pfsyncattach(int npfsync)
 	bzero(&pfsyncif, sizeof(pfsyncif));
 	pfsyncif.sc_mbuf = NULL;
 	pfsyncif.sc_mbuf_net = NULL;
+	pfsyncif.sc_mbuf_tdb = NULL;
 	pfsyncif.sc_statep.s = NULL;
 	pfsyncif.sc_statep_net.s = NULL;
+	pfsyncif.sc_statep_tdb.t = NULL;
 	pfsyncif.sc_maxupdates = 128;
 	pfsyncif.sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP;
 	pfsyncif.sc_sendaddr.s_addr = INADDR_PFSYNC_GROUP;
@@ -128,6 +134,7 @@ pfsyncattach(int npfsync)
 	ifp->if_hdrlen = PFSYNC_HDRLEN;
 	pfsync_setmtu(&pfsyncif, MCLBYTES);
 	timeout_set(&pfsyncif.sc_tmo, pfsync_timeout, &pfsyncif);
+	timeout_set(&pfsyncif.sc_tdb_tmo, pfsync_tdb_timeout, &pfsyncif);
 	timeout_set(&pfsyncif.sc_bulk_tmo, pfsync_bulk_update, &pfsyncif);
 	timeout_set(&pfsyncif.sc_bulkfail_tmo, pfsync_bulkfail, &pfsyncif);
 	if_attach(ifp);
@@ -250,6 +257,7 @@ pfsync_input(struct mbuf *m, ...)
 	struct pfsync_state_clr *cp;
 	struct pfsync_state_upd_req *rup;
 	struct pfsync_state_bus *bus;
+	struct pfsync_tdb *pt;
 	struct in_addr src;
 	struct mbuf *mp;
 	int iplen, action, error, i, s, count, offp, sfail, stale = 0;
@@ -719,6 +727,18 @@ pfsync_input(struct mbuf *m, ...)
 			break;
 		}
 		break;
+	case PFSYNC_ACT_TDB_UPD:
+		if ((mp = m_pulldown(m, iplen + sizeof(*ph),
+		    count * sizeof(*pt), &offp)) == NULL) {
+			pfsyncstats.pfsyncs_badlen++;
+			return;
+		}
+		s = splsoftnet();
+		for (i = 0, pt = (struct pfsync_tdb *)(mp->m_data + offp);
+		    i < count; i++, pt++)
+			pfsync_update_net_tdb(pt);
+		splx(s);
+		break;
 	}
 
 done:
@@ -934,6 +954,10 @@ pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action, void **sp)
 		len = sizeof(struct pfsync_header) +
 		    sizeof(struct pfsync_state_bus);
 		break;
+	case PFSYNC_ACT_TDB_UPD:
+		len = (sc->sc_maxcount * sizeof(struct pfsync_tdb)) +
+		    sizeof(struct pfsync_header);
+		break;
 	default:
 		len = (sc->sc_maxcount * sizeof(struct pfsync_state)) +
 		    sizeof(struct pfsync_header);
@@ -960,7 +984,10 @@ pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action, void **sp)
 	h->action = action;
 
 	*sp = (void *)((char *)h + PFSYNC_HDRLEN);
-	timeout_add(&sc->sc_tmo, hz);
+	if (action == PFSYNC_ACT_TDB_UPD) 
+		timeout_add(&sc->sc_tdb_tmo, hz);
+	else
+		timeout_add(&sc->sc_tmo, hz);
 	return (m);
 }
 
@@ -1242,6 +1269,17 @@ pfsync_timeout(void *v)
 	splx(s);
 }
 
+void
+pfsync_tdb_timeout(void *v)
+{
+	struct pfsync_softc *sc = v;
+	int s;
+
+	s = splnet();
+	pfsync_tdb_sendout(sc);
+	splx(s);
+}
+
 /* This must be called in splnet() */
 void
 pfsync_send_bus(struct pfsync_softc *sc, u_int8_t status)
@@ -1342,8 +1380,7 @@ pfsync_bulkfail(void *v)
 
 /* This must be called in splnet() */
 int
-pfsync_sendout(sc)
-	struct pfsync_softc *sc;
+pfsync_sendout(struct pfsync_softc *sc)
 {
 	struct ifnet *ifp = &sc->sc_if;
 	struct mbuf *m;
@@ -1368,10 +1405,39 @@ pfsync_sendout(sc)
 		sc->sc_statep_net.s = NULL;
 	}
 
-	if (sc->sc_sync_ifp || sc->sc_sync_peer.s_addr != INADDR_PFSYNC_GROUP) {
-		struct ip *ip;
-		struct sockaddr sa;
+	return pfsync_sendout_mbuf(sc, m);
+}
 
+int
+pfsync_tdb_sendout(struct pfsync_softc *sc)
+{
+	struct ifnet *ifp = &sc->sc_if;
+	struct mbuf *m;
+
+	timeout_del(&sc->sc_tdb_tmo);
+
+	if (sc->sc_mbuf_tdb == NULL)
+		return (0);
+	m = sc->sc_mbuf_tdb;
+	sc->sc_mbuf_tdb = NULL;
+	sc->sc_statep_tdb.t = NULL;
+
+#if NBPFILTER > 0
+	if (ifp->if_bpf)
+		bpf_mtap(ifp->if_bpf, m);
+#endif
+
+	return pfsync_sendout_mbuf(sc, m);
+}
+
+int
+pfsync_sendout_mbuf(struct pfsync_softc *sc, struct mbuf *m)
+{
+	struct sockaddr sa;
+	struct ip *ip;
+	
+	if (sc->sc_sync_ifp || 
+	    sc->sc_sync_peer.s_addr != INADDR_PFSYNC_GROUP) {
 		M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
 		if (m == NULL) {
 			pfsyncstats.pfsyncs_onomem++;
@@ -1405,3 +1471,165 @@ pfsync_sendout(sc)
 
 	return (0);
 }
+
+/* Update an in-kernel tdb. Silently fail if no tdb is found. */
+void
+pfsync_update_net_tdb(struct pfsync_tdb *pt)
+{
+	struct tdb		*tdb;
+	int			 s;
+
+	/* check for invalid values */
+	pt->spi = htonl(pt->spi);
+	if (pt->spi <= SPI_RESERVED_MAX ||
+	    (pt->dst.sa.sa_family != AF_INET &&
+	     pt->dst.sa.sa_family != AF_INET6))
+		goto bad;
+
+	if (pt->dst.sa.sa_family == AF_INET)
+		pt->dst.sin.sin_addr.s_addr = 
+		    htonl(pt->dst.sin.sin_addr.s_addr);
+
+	s = spltdb();
+	tdb = gettdb(pt->spi, &pt->dst, pt->sproto);
+	if (tdb) {
+		/* 
+		 * When a failover happens, the master's rpl is probably above
+		 * what we see here (we may be up to a second late), so
+		 * increase it a bit to manage most such situations.
+		 *
+		 * For now, just add an offset that is likely to be larger
+		 * than the number of packets we can see in one second. The RFC
+		 * just says the next packet must have a higher seq value.
+		 *
+		 * XXX What is a good algorithm for this? We could use
+		 * a rate-determined increase, but to know it, we would have
+		 * to extend struct tdb.
+		 * XXX pt->rpl can wrap over MAXINT, but if so the real tdb
+		 * will soon be replaced anyway. For now, just don't handle
+		 * this edge case.
+		 */
+#define RPL_INCR 16384
+		pt->rpl = ntohl(pt->rpl) + RPL_INCR;
+		pt->cur_bytes = betoh64(pt->cur_bytes);
+
+		/* Neither replay nor byte counter should ever decrease. */
+		if (pt->rpl < tdb->tdb_rpl || 
+		    pt->cur_bytes < tdb->tdb_cur_bytes) {
+			splx(s);
+			goto bad;
+		}
+
+		tdb->tdb_rpl = pt->rpl;
+		tdb->tdb_cur_bytes = pt->cur_bytes;
+	}
+	splx(s);
+	return;
+
+  bad:
+	printf("pfsync_update_net_tdb: badness\n");
+	if (pf_status.debug >= PF_DEBUG_MISC)
+		printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: "
+		    "invalid value\n");
+	pfsyncstats.pfsyncs_badstate++;
+	return;	
+}
+
+/* One of our local tdbs have been updated, need to sync rpl with others */
+int
+pfsync_update_tdb(struct tdb *tdb)
+{
+	struct ifnet *ifp = &pfsyncif.sc_if;
+	struct pfsync_softc *sc = ifp->if_softc;
+	struct pfsync_header *h;
+	struct pfsync_tdb *pt = NULL;
+	int s, i, ret;
+
+	if (ifp->if_bpf == NULL && sc->sc_sync_ifp == NULL &&
+	    sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) {
+		/* Don't leave any stale pfsync packets hanging around. */
+		if (sc->sc_mbuf_tdb != NULL) {
+			m_freem(sc->sc_mbuf_tdb);
+			sc->sc_mbuf_tdb = NULL;
+			sc->sc_statep_tdb.t = NULL;
+		}
+		return (0);
+	}
+
+	s = splnet();
+	if (sc->sc_mbuf_tdb == NULL) {
+		if ((sc->sc_mbuf_tdb = pfsync_get_mbuf(sc, PFSYNC_ACT_TDB_UPD,
+		    (void *)&sc->sc_statep_tdb.t)) == NULL) {
+			splx(s);
+			return (ENOMEM);
+		}
+		h = mtod(sc->sc_mbuf_tdb, struct pfsync_header *);
+	} else {
+		h = mtod(sc->sc_mbuf_tdb, struct pfsync_header *);
+		if (h->action != PFSYNC_ACT_TDB_UPD) {
+			/*
+			 * XXX will never happen as long as there's 
+			 * only one "TDB action".
+			 */
+			pfsync_tdb_sendout(sc);
+			sc->sc_mbuf_tdb = pfsync_get_mbuf(sc,
+			    PFSYNC_ACT_TDB_UPD, (void *)&sc->sc_statep_tdb.t);
+			if (sc->sc_mbuf_tdb == NULL) {
+				splx(s);
+				return (ENOMEM);
+			}
+			h = mtod(sc->sc_mbuf_tdb, struct pfsync_header *);
+		} else if (sc->sc_maxupdates) {
+			/*
+			 * If it's an update, look in the packet to see if
+			 * we already have an update for the state.
+			 */
+			struct pfsync_tdb *u =
+			    (void *)((char *)h + PFSYNC_HDRLEN);
+			int hash = tdb_hash(tdb->tdb_spi, &tdb->tdb_dst,
+			    tdb->tdb_sproto);
+
+			for (i = 0; !pt && i < h->count; i++) {
+				/* XXX Ugly, u is network ordered. */
+				if (u->dst.sa.sa_family == AF_INET)
+					u->dst.sin.sin_addr.s_addr =
+					    ntohl(u->dst.sin.sin_addr.s_addr);
+				if (tdb_hash(ntohl(u->spi), &u->dst,
+				    u->sproto) == hash) {
+					pt = u;
+					pt->updates++;
+				}
+				if (u->dst.sa.sa_family == AF_INET)
+					u->dst.sin.sin_addr.s_addr =
+					    htonl(u->dst.sin.sin_addr.s_addr);
+				u++;
+			}
+		}
+	}
+
+	if (pt == NULL) {
+		/* not a "duplicate" update */
+		pt = sc->sc_statep_tdb.t++;
+		sc->sc_mbuf_tdb->m_pkthdr.len =
+		    sc->sc_mbuf_tdb->m_len += sizeof(struct pfsync_tdb);
+		h->count++;
+		bzero(pt, sizeof(*pt));
+
+		pt->spi = htonl(tdb->tdb_spi);
+		memcpy(&pt->dst, &tdb->tdb_dst, sizeof pt->dst);
+		if (pt->dst.sa.sa_family == AF_INET)
+			pt->dst.sin.sin_addr.s_addr =
+			    htonl(pt->dst.sin.sin_addr.s_addr);
+		pt->sproto = tdb->tdb_sproto;
+	}
+
+	pt->rpl = htonl(tdb->tdb_rpl);
+	pt->cur_bytes = htobe64(tdb->tdb_cur_bytes);
+
+	if (h->count == sc->sc_maxcount ||
+	    (sc->sc_maxupdates && (pt->updates >= sc->sc_maxupdates)))
+		ret = pfsync_tdb_sendout(sc);
+
+	splx(s);
+	return (ret);
+}
diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h
index ddd049a81fd..ffa57b7993a 100644
--- a/sys/net/if_pfsync.h
+++ b/sys/net/if_pfsync.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.h,v 1.19 2005/01/20 17:47:38 mcbride Exp $	*/
+/*	$OpenBSD: if_pfsync.h,v 1.20 2005/05/28 15:10:07 ho Exp $	*/
 
 /*
  * Copyright (c) 2001 Michael Shalayeff
@@ -88,6 +88,16 @@ struct pfsync_state {
 #define PFSYNC_FLAG_COMPRESS 	0x01
 #define PFSYNC_FLAG_STALE	0x02
 
+struct pfsync_tdb {
+	u_int32_t	spi;
+	union sockaddr_union dst;
+	u_int32_t	rpl;
+	u_int64_t	cur_bytes;
+	u_int8_t	sproto;
+	u_int8_t	updates;
+	u_int8_t	pad[2];
+} __packed;
+
 struct pfsync_state_upd {
 	u_int32_t		id[2];
 	struct pfsync_state_peer	src;
@@ -143,6 +153,10 @@ union sc_statep {
 	struct pfsync_state_upd_req	*r;
 };
 
+union sc_tdb_statep {
+	struct pfsync_tdb	*t;
+};
+
 extern int	pfsync_sync_ok;
 
 struct pfsync_softc {
@@ -151,14 +165,17 @@ struct pfsync_softc {
 
 	struct ip_moptions	 sc_imo;
 	struct timeout		 sc_tmo;
+	struct timeout		 sc_tdb_tmo;
 	struct timeout		 sc_bulk_tmo;
 	struct timeout		 sc_bulkfail_tmo;
 	struct in_addr		 sc_sync_peer;
 	struct in_addr		 sc_sendaddr;
 	struct mbuf		*sc_mbuf;	/* current cumulative mbuf */
 	struct mbuf		*sc_mbuf_net;	/* current cumulative mbuf */
+    	struct mbuf		*sc_mbuf_tdb;	/* dito for TDB updates */
 	union sc_statep		 sc_statep;
 	union sc_statep		 sc_statep_net;
+	union sc_tdb_statep	 sc_statep_tdb;
 	u_int32_t		 sc_ureq_received;
 	u_int32_t		 sc_ureq_sent;
 	int			 sc_bulk_tries;
@@ -183,7 +200,8 @@ struct pfsync_header {
 #define	PFSYNC_ACT_DEL_F	7	/* delete fragments */
 #define	PFSYNC_ACT_UREQ		8	/* request "uncompressed" state */
 #define PFSYNC_ACT_BUS		9	/* Bulk Update Status */
-#define	PFSYNC_ACT_MAX		10
+#define PFSYNC_ACT_TDB_UPD	10	/* TDB replay counter update */
+#define	PFSYNC_ACT_MAX		11
 	u_int8_t count;
 } __packed;
 
@@ -193,7 +211,7 @@ struct pfsync_header {
 #define	PFSYNC_ACTIONS \
 	"CLR ST", "INS ST", "UPD ST", "DEL ST", \
 	"UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
-	"UPD REQ", "BLK UPD STAT"
+	"UPD REQ", "BLK UPD STAT", "TDB UPD"
 
 #define PFSYNC_DFLTTL		255
 
@@ -282,6 +300,7 @@ int pfsync_pack_state(u_int8_t, struct pf_state *, int);
 		    PFSYNC_FLAG_COMPRESS);			\
 	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
 } while (0)
+int pfsync_update_tdb(struct tdb *);
 #endif
 
 #endif /* _NET_IF_PFSYNC_H_ */
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index dde4380354a..54df2430a79 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.39 2004/08/10 16:17:05 ho Exp $	*/
+/*	$OpenBSD: pfkeyv2_parsemessage.c,v 1.40 2005/05/28 15:10:07 ho Exp $	*/
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -133,7 +133,7 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] =
 	/* UPDATE */
 	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP,
 	/* ADD */
-	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP,
+	BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE,
 	/* DELETE */
 	BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
 	/* GET */
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index b6ca4aabb67..be91d8fd650 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ah.c,v 1.80 2005/05/27 18:23:18 markus Exp $ */
+/*	$OpenBSD: ip_ah.c,v 1.81 2005/05/28 15:10:07 ho Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -36,6 +36,8 @@
  * PURPOSE.
  */
 
+#include "pfsync.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
@@ -48,6 +50,7 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <netinet/ip_var.h>
 #endif /* INET */
 
 #ifdef INET6
@@ -62,6 +65,11 @@
 #include <net/pfkeyv2.h>
 #include <net/if_enc.h>
 
+#if NPFSYNC > 0
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
+#endif /* NPFSYNC > 0 */
+
 #include <crypto/cryptodev.h>
 #include <crypto/xform.h>
 
@@ -805,6 +813,9 @@ ah_input_cb(void *op)
 		switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl),
 		    tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) {
 		case 0: /* All's well. */
+#if NPFSYNC > 0
+			pfsync_update_tdb(tdb);
+#endif
 			break;
 
 		case 1:
@@ -1100,8 +1111,12 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	/* Zeroize authenticator. */
 	m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes);
 
-	if (!(tdb->tdb_flags & TDBF_NOREPLAY))
+	if (!(tdb->tdb_flags & TDBF_NOREPLAY)) {
 		ah->ah_rpl = htonl(tdb->tdb_rpl++);
+#if NPFSYNC > 0
+		pfsync_update_tdb(tdb);
+#endif
+	}
 
 	/* Get crypto descriptors. */
 	crp = crypto_getreq(1);
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index de2894d89c6..35e41b62708 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp.c,v 1.91 2005/05/27 18:23:18 markus Exp $ */
+/*	$OpenBSD: ip_esp.c,v 1.92 2005/05/28 15:10:07 ho Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -35,6 +35,8 @@
  * PURPOSE.
  */
 
+#include "pfsync.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
@@ -49,6 +51,7 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <netinet/ip_var.h>
 #endif /* INET */
 
 #ifdef INET6
@@ -63,6 +66,11 @@
 #include <net/pfkeyv2.h>
 #include <net/if_enc.h>
 
+#if NPFSYNC > 0
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
+#endif /* NPFSYNC > 0 */
+
 #include <crypto/cryptodev.h>
 #include <crypto/xform.h>
 
@@ -573,6 +581,9 @@ esp_input_cb(void *op)
 		switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl),
 		    tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) {
 		case 0: /* All's well */
+#if NPFSYNC > 0
+			pfsync_update_tdb(tdb);
+#endif
 			break;
 
 		case 1:
@@ -875,6 +886,9 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 		u_int32_t replay = htonl(tdb->tdb_rpl++);
 		bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t),
 		    sizeof(u_int32_t));
+#if NPFSYNC > 0
+		pfsync_update_tdb(tdb);
+#endif
 	}
 
 	/*
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 663309466d4..3bd169e6014 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.162 2005/05/27 19:33:56 hshoexer Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.163 2005/05/28 15:10:07 ho Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -76,10 +76,6 @@ void tdb_hashstats(void);
 #define	DPRINTF(x)
 #endif
 
-#ifdef __GNUC__
-#define	INLINE	static __inline
-#endif
-
 int		ipsp_kern(int, char **, int);
 u_int8_t	get_sa_require(struct inpcb *);
 void		tdb_rehash(void);
@@ -145,7 +141,7 @@ static int tdb_count;
  * Our hashing function needs to stir things with a non-zero random multiplier
  * so we cannot be DoS-attacked via choosing of the data to hash.
  */
-INLINE int
+int
 tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto)
 {
 	static u_int32_t mult1 = 0, mult2 = 0;
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index f089c4179b4..a68c8186ae0 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.129 2005/05/27 19:32:31 hshoexer Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.130 2005/05/28 15:10:07 ho Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -541,6 +541,7 @@ extern void puttdb(struct tdb *);
 extern void tdb_delete(struct tdb *);
 extern struct tdb *tdb_alloc(void);
 extern void tdb_free(struct tdb *);
+extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t);
 extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *);
 extern int tdb_walk(int (*)(struct tdb *, void *, int), void *);
 
diff --git a/usr.sbin/tcpdump/print-pfsync.c b/usr.sbin/tcpdump/print-pfsync.c
index ec9b8d08646..d4dcf061f9b 100644
--- a/usr.sbin/tcpdump/print-pfsync.c
+++ b/usr.sbin/tcpdump/print-pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-pfsync.c,v 1.27 2004/07/07 23:48:40 mcbride Exp $	*/
+/*	$OpenBSD: print-pfsync.c,v 1.28 2005/05/28 15:10:07 ho Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -28,7 +28,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pfsync.c,v 1.27 2004/07/07 23:48:40 mcbride Exp $";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pfsync.c,v 1.28 2005/05/28 15:10:07 ho Exp $";
 #endif
 
 #include <sys/param.h>
@@ -116,6 +116,7 @@ pfsync_print(struct pfsync_header *hdr, int len)
 	struct pfsync_state_clr *c;
 	struct pfsync_state_upd_req *r;
 	struct pfsync_state_bus *b;
+	struct pfsync_tdb *t;
 	int i, flags = 0, min, sec;
 	u_int64_t id;
 
@@ -231,6 +232,14 @@ pfsync_print(struct pfsync_header *hdr, int len)
 			}
 		}
 		break;
+	case PFSYNC_ACT_TDB_UPD:
+		for (i = 1, t = (void *)((char *)hdr + PFSYNC_HDRLEN);
+		    i <= hdr->count && i * sizeof(*t) <= len; i++, t++)
+			printf("\n\tspi: %08x rpl: %u cur_bytes: %llu",
+			    htonl(t->spi), htonl(t->rpl),
+			    betoh64(t->cur_bytes));
+			/* XXX add dst and sproto? */
+		break;
 	default:
 		break;
 	}