Bring in PF-MIB to snmpd.

ok krw@, sthen@

9 files changed, 3380 insertions, 10 deletions

diff --git a/share/snmp/Makefile b/share/snmp/Makefile
index 94a3b3cd76d..d4b8792225f 100644
--- a/share/snmp/Makefile
+++ b/share/snmp/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.2 2012/01/31 18:00:46 joel Exp $
+# $OpenBSD: Makefile,v 1.3 2012/02/23 03:54:38 joel Exp $
 
 FILES=	OPENBSD-SNMPD-CONF.txt OPENBSD-BASE-MIB.txt
 FILES+=	OPENBSD-MEM-MIB.txt OPENBSD-SENSORS-MIB.txt
-FILES+= OPENBSD-CARP-MIB.txt
+FILES+= OPENBSD-CARP-MIB.txt OPENBSD-PF-MIB.txt
 
 all clean cleandir depend lint obj tags: _SUBDIRUSE
 
diff --git a/share/snmp/OPENBSD-BASE-MIB.txt b/share/snmp/OPENBSD-BASE-MIB.txt
index 3ad0f434cd4..82b8ec4ae9a 100644
--- a/share/snmp/OPENBSD-BASE-MIB.txt
+++ b/share/snmp/OPENBSD-BASE-MIB.txt
@@ -1,4 +1,4 @@
--- $OpenBSD: OPENBSD-BASE-MIB.txt,v 1.4 2012/02/09 16:50:18 sthen Exp $
+-- $OpenBSD: OPENBSD-BASE-MIB.txt,v 1.5 2012/02/23 03:54:38 joel Exp $
 --
 -- Copyright (c) 2008 Reyk Floeter <reyk@openbsd.org>
 -- Copyright (c) 2004-2007 Joel Knight <knight.joel@gmail.com>
@@ -49,7 +49,7 @@ openBSD MODULE-IDENTITY
 -- OpenBSD sub-MIBs
 --
 
--- pfMIBObjects		OBJECT IDENTIFIER ::= { openBSD 1 }
+pfMIBObjects		OBJECT IDENTIFIER ::= { openBSD 1 }
 sensorsMIBObjects	OBJECT IDENTIFIER ::= { openBSD 2 }
 -- relaydMIBObjects	OBJECT IDENTIFIER ::= { openBSD 3 }
 -- ipsecMIBObjects	OBJECT IDENTIFIER ::= { openBSD 4 }
diff --git a/share/snmp/OPENBSD-PF-MIB.txt b/share/snmp/OPENBSD-PF-MIB.txt
new file mode 100644
index 00000000000..b7d0c0fa150
--- /dev/null
+++ b/share/snmp/OPENBSD-PF-MIB.txt
@@ -0,0 +1,1493 @@
+-- $OpenBSD: OPENBSD-PF-MIB.txt,v 1.1 2012/02/23 03:54:38 joel Exp $
+--
+-- Copyright (c) 2004-2012 Joel Knight <knight.joel@gmail.com>
+-- 
+-- Permission to use, copy, modify, and distribute this document for any
+-- purpose with or without fee is hereby granted, provided that the above
+-- copyright notice and this permission notice appear in all copies.
+--
+-- THE DOCUMENT IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+-- WITH REGARD TO THIS DOCUMENT INCLUDING ALL IMPLIED WARRANTIES OF
+-- MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+-- ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+-- WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+-- ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+-- OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS DOCUMENT.
+
+
+OPENBSD-PF-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+	MODULE-IDENTITY, NOTIFICATION-TYPE, OBJECT-TYPE, 
+	Counter32, Counter64, Unsigned32, Integer32, IpAddress,
+	TimeTicks, enterprises
+		FROM SNMPv2-SMI
+
+	TruthValue
+		FROM SNMPv2-TC
+		
+	openBSD
+		FROM OPENBSD-BASE-MIB
+	
+	MODULE-COMPLIANCE, OBJECT-GROUP
+		FROM SNMPv2-CONF;
+
+pfMIBObjects MODULE-IDENTITY
+    LAST-UPDATED "201201260000Z"
+    ORGANIZATION "OpenBSD"
+    CONTACT-INFO "
+                  Author:     Joel Knight
+                  email:      knight.joel@gmail.com
+                  www:        http://www.packetmischief.ca/openbsd-snmp-mibs/
+                 "
+    DESCRIPTION "The MIB module for gathering information from
+		OpenBSD's packet filter.
+                "
+    REVISION "201201260000Z"
+    DESCRIPTION "Add OPENBSD-PF-MIB to OpenBSD's snmpd"
+    ::= { openBSD 1 }
+
+
+-- define the sections of the MIB
+
+pfInfo				OBJECT IDENTIFIER ::= { pfMIBObjects 1 }
+pfCounters			OBJECT IDENTIFIER ::= { pfMIBObjects 2 }
+pfStateTable			OBJECT IDENTIFIER ::= { pfMIBObjects 3 }
+pfLogInterface			OBJECT IDENTIFIER ::= { pfMIBObjects 4 }
+pfSrcTracking			OBJECT IDENTIFIER ::= { pfMIBObjects 5 }
+pfLimits			OBJECT IDENTIFIER ::= { pfMIBObjects 6 }
+pfTimeouts			OBJECT IDENTIFIER ::= { pfMIBObjects 7 }
+pfInterfaces			OBJECT IDENTIFIER ::= { pfMIBObjects 8 }
+pfTables			OBJECT IDENTIFIER ::= { pfMIBObjects 9 }
+pfLabels			OBJECT IDENTIFIER ::= { pfMIBObjects 10 }
+pfsyncStats			OBJECT IDENTIFIER ::= { pfMIBObjects 11 }
+
+
+-- pfInfo
+
+pfRunning OBJECT-TYPE
+    SYNTAX      TruthValue
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"Indicates whether pf is enabled or not."
+    ::= { pfInfo 1 }
+
+pfRuntime OBJECT-TYPE
+    SYNTAX      TimeTicks
+    UNITS      "1/100th of a Second"
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"Indicates how long pf has been enabled. If pf is not
+	enabled, indicates how long pf has been disabled. If pf has not
+	been explicitly enabled or disabled since the system was booted,
+	the value will be 0."
+    ::= { pfInfo 2 }
+
+pfDebug OBJECT-TYPE
+    SYNTAX      INTEGER { 
+	emerg(0), 
+	alert(1), 
+	crit(2), 
+	err(3), 
+	warning(4), 
+	notice(5),
+	info(6),
+	debug(7)	
+    }
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"Indicates the debug level that pf is running at." 
+    ::= { pfInfo 3 }
+
+pfHostid OBJECT-TYPE
+    SYNTAX      OCTET STRING
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The (unique) host id of the machine running pf."
+    ::= { pfInfo 4 }
+
+
+-- pfCounters
+
+pfCntMatch OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that have matched a filter rule."
+    ::= { pfCounters 1 }
+
+pfCntBadOffset OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that have had a bad offset value."
+    ::= { pfCounters 2 }
+
+pfCntFragment OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packet fragments."
+    ::= { pfCounters 3 }
+
+pfCntShort OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were too short to contain a valid header."
+    ::= { pfCounters 4 }
+
+pfCntNormalize OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were normalized using the packet scrubber."
+    ::= { pfCounters 5 }
+
+pfCntMemory OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to memory limitations."
+    ::= { pfCounters 6 }
+
+pfCntTimestamp OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to improper RFC1323 timestamp."
+    ::= { pfCounters 7 }
+
+pfCntCongestion OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to congestion on the interface."
+    ::= { pfCounters 8 }
+
+pfCntIpOption OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to having options set in
+    the IP header."
+    ::= { pfCounters 9 }
+
+pfCntProtoCksum OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to memory limitations."
+    ::= { pfCounters 10 }
+
+pfCntStateMismatch OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to a state table mismatch."
+    ::= { pfCounters 11 }
+
+pfCntStateInsert OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to errors creating a
+	state table entry."
+    ::= { pfCounters 12 }
+
+pfCntStateLimit OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to the per-rule max
+	state limit being reached."
+    ::= { pfCounters 13 }
+
+pfCntSrcLimit OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped due to stateful connection
+	tracking. A packet could be dropped due to resource limits (memory)
+	or due to a tracking limit being reached."
+    ::= { pfCounters 14 }
+
+pfCntSynproxy OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of packets that were dropped during the TCP synproxy process."
+    ::= { pfCounters 15 }
+
+
+-- pfStateTable
+
+pfStateCount OBJECT-TYPE
+    SYNTAX      Unsigned32
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of entries in the state table."
+    ::= { pfStateTable 1 }
+
+pfStateSearches OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of searches against the state table."
+    ::= { pfStateTable 2 }
+
+pfStateInserts OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of inserts into the state table."
+    ::= { pfStateTable 3 }
+
+pfStateRemovals OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of removals from the state table."
+    ::= { pfStateTable 4 }
+
+
+-- pfLogInterface
+
+pfLogIfName OBJECT-TYPE
+    SYNTAX      OCTET STRING
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The name of the interface configured using 'set loginterface'.
+	If no interface has been configured, the object will be empty."
+    ::= { pfLogInterface 1 }
+
+pfLogIfIpBytesIn OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv4 bytes passed in on the loginterface."
+    ::= { pfLogInterface 2 }
+
+pfLogIfIpBytesOut OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv4 bytes passed out on the loginterface."
+    ::= { pfLogInterface 3 }
+
+pfLogIfIpPktsInPass OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv4 packets passed in on the loginterface."
+    ::= { pfLogInterface 4 }
+
+pfLogIfIpPktsInDrop OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of dropped IPv4 packets coming in on the loginterface."
+    ::= { pfLogInterface 5 }
+
+pfLogIfIpPktsOutPass OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv4 packets passed out on the loginterface."
+    ::= { pfLogInterface 6 }
+
+pfLogIfIpPktsOutDrop OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of dropped IPv4 packets going out on the loginterface."
+    ::= { pfLogInterface 7 }
+
+pfLogIfIp6BytesIn OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv6 bytes passed in on the loginterface."
+    ::= { pfLogInterface 8 }
+
+pfLogIfIp6BytesOut OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv6 bytes passed out on the loginterface."
+    ::= { pfLogInterface 9 }
+
+pfLogIfIp6PktsInPass OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv6 packets passed in on the loginterface."
+    ::= { pfLogInterface 10 }
+
+pfLogIfIp6PktsInDrop OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of dropped IPv6 packets coming in on the loginterface."
+    ::= { pfLogInterface 11 }
+
+pfLogIfIp6PktsOutPass OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of IPv6 packets passed out on the loginterface."
+    ::= { pfLogInterface 12 }
+
+pfLogIfIp6PktsOutDrop OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of dropped IPv6 packets going out on the loginterface."
+    ::= { pfLogInterface 13 }
+
+
+-- pfSrcTracking
+
+pfSrcTrackCount OBJECT-TYPE
+    SYNTAX      Unsigned32
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of entries in the source tracking table."
+    ::= { pfSrcTracking 1 }
+
+pfSrcTrackSearches OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of searches against the source tracking table."
+    ::= { pfSrcTracking 2 }
+
+pfSrcTrackInserts OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of inserts into the source tracking table."
+    ::= { pfSrcTracking 3 }
+
+pfSrcTrackRemovals OBJECT-TYPE
+    SYNTAX      Counter64
+    MAX-ACCESS  read-only
+    STATUS      current
+    DESCRIPTION
+	"The number of removals from the source tracking table."
+    ::= { pfSrcTracking 4 }
+
+
+-- pfLimits
+
+pfLimitStates OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The maximum number of entries in the memory pool used by state
+	table entries (filter rules that specify 'keep state')."
+	::= { pfLimits 1 }
+
+pfLimitSourceNodes OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The maximum number of entries in the memory pool used for tracking
+	source IP addresses (filter rules that specify 'sticky-address' or
+	'source-track' options)."
+	::= { pfLimits 2 }
+
+pfLimitFragments OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The maximum number of entries in the memory pool used for packet 
+	reassembly (scrub rules)."
+	::= { pfLimits 3 }
+
+pfLimitMaxTables OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The maximum number of tables that can be created as part of the
+	active ruleset."
+	::= { pfLimits 4 }
+
+pfLimitMaxTableEntries OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The overall maximum number of addresses that can be stored in
+	tables."
+	::= { pfLimits 5 }
+
+
+-- pfTimeouts
+
+pfTimeoutTcpFirst OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after receiving the first TCP packet in a new connection."
+	::= { pfTimeouts 1 }
+
+pfTimeoutTcpOpening OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State before the destination host ever sends a packet in response
+	to a new connection from this host."
+	::= { pfTimeouts 2 }
+
+pfTimeoutTcpEstablished OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State when a TCP connection is fully established."
+	::= { pfTimeouts 3 }
+
+pfTimeoutTcpClosing OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after the first FIN has been sent."
+	::= { pfTimeouts 4 }
+
+pfTimeoutTcpFinWait OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after both FINs are sent and the connection is closed."
+	::= { pfTimeouts 5 }
+
+pfTimeoutTcpClosed OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after the first RST has been sent."
+	::= { pfTimeouts 6 }
+
+pfTimeoutUdpFirst OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after receiving the first UDP packet."
+	::= { pfTimeouts 7 }
+
+pfTimeoutUdpSingle OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State if the source sends more than 1 packet but the destination
+	has never sent a packet back."
+	::= { pfTimeouts 8 }
+
+pfTimeoutUdpMultiple OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State when both hosts have sent packets."
+	::= { pfTimeouts 9 }
+
+pfTimeoutIcmpFirst OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after receiving the first ICMP packet."
+	::= { pfTimeouts 10 }
+
+pfTimeoutIcmpError OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State when an ICMP error comes back in response to an ICMP
+	packet."
+	::= { pfTimeouts 11 }
+
+pfTimeoutOtherFirst OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State after receiving the first packet."
+	::= { pfTimeouts 12 }
+
+pfTimeoutOtherSingle OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State if the source sends more than 1 packet but the destination
+	has never sent a packet back."
+	::= { pfTimeouts 13 }
+
+pfTimeoutOtherMultiple OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"State when both hosts have sent packets."
+	::= { pfTimeouts 14 }
+
+pfTimeoutFragment OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"How long before an unassembled fragment is expired."
+	::= { pfTimeouts 15 }
+
+pfTimeoutInterval OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Interval before purging expired states and fragments."
+	::= { pfTimeouts 16 }
+
+pfTimeoutAdaptiveStart OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"When the number of state entries exceeds this value, adaptive
+	scaling begins."
+	::= { pfTimeouts 17 }
+
+pfTimeoutAdaptiveEnd OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"When reaching this number of state entries, all timeout values 
+	become zero, effectively purging all state entries immediately."
+	::= { pfTimeouts 18 }
+
+pfTimeoutSrcTrack OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Time that a source tracking entry will stay around after the
+	last state expires."
+	::= { pfTimeouts 19 }
+
+
+-- pfInterfaces
+
+pfIfNumber  OBJECT-TYPE
+	SYNTAX      Integer32
+	MAX-ACCESS  read-only
+	STATUS      current
+	DESCRIPTION
+	"The number of network interfaces present on this system."
+	::= { pfInterfaces 1 }
+
+pfIfTable OBJECT-TYPE
+	SYNTAX		SEQUENCE OF PfIfEntry
+	MAX-ACCESS	not-accessible
+	STATUS		current
+	DESCRIPTION
+	"A list of individual interfaces. The number of entries is
+	given by the value of pfIfNumber."
+	::= { pfInterfaces 128 }
+
+pfIfEntry OBJECT-TYPE
+	SYNTAX      PfIfEntry
+	MAX-ACCESS  not-accessible
+	STATUS      current
+	DESCRIPTION
+	"An entry containing management information applicable to a
+	particular interface."
+	INDEX   { pfIfIndex }
+	::= { pfIfTable 1 }
+
+PfIfEntry ::=
+	SEQUENCE {
+		pfIfIndex		Integer32,
+		pfIfDescr		OCTET STRING,
+		pfIfType		INTEGER,
+		pfIfRefs		Unsigned32,
+		pfIfRules		Unsigned32,
+		pfIfIn4PassPkts		Counter64,
+		pfIfIn4PassBytes	Counter64,
+		pfIfIn4BlockPkts	Counter64,
+		pfIfIn4BlockBytes	Counter64,
+		pfIfOut4PassPkts	Counter64,
+		pfIfOut4PassBytes	Counter64,
+		pfIfOut4BlockPkts	Counter64,
+		pfIfOut4BlockBytes	Counter64,
+		pfIfIn6PassPkts		Counter64,
+		pfIfIn6PassBytes	Counter64,
+		pfIfIn6BlockPkts	Counter64,
+		pfIfIn6BlockBytes	Counter64,
+		pfIfOut6PassPkts	Counter64,
+		pfIfOut6PassBytes	Counter64,
+		pfIfOut6BlockPkts	Counter64,
+		pfIfOut6BlockBytes	Counter64
+	}
+
+pfIfIndex OBJECT-TYPE
+	SYNTAX		Integer32 (1..2147483647)
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"A unique value, greater than zero, for each interface.  It
+	is recommended that values are assigned contiguously
+	starting from 1.  The value for each interface sub-layer
+	must remain constant at least from one re-initialization of
+	the entity's network management system to the next re-
+	initialization."
+	::= { pfIfEntry 1 }
+
+pfIfDescr OBJECT-TYPE
+	SYNTAX		OCTET STRING
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The name of the interface."
+	::= { pfIfEntry 2 }
+
+pfIfType OBJECT-TYPE
+	SYNTAX 		INTEGER { group(0), instance(1), detached(2) }
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Denotes whether the interface is a group interface, an interface 
+	instance, or whether it's been removed or destroyed."
+	::= { pfIfEntry 3 }
+
+pfIfRefs OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of state and/or source track entries which reference 
+	the interface."
+	::= { pfIfEntry 4 }
+
+pfIfRules OBJECT-TYPE
+	SYNTAX		Unsigned32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of rules which reference the interface."
+	::= { pfIfEntry 5 }
+
+pfIfIn4PassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv4 packets passed in."
+	::= { pfIfEntry 6 }
+
+pfIfIn4PassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv4 bytes passed in."
+	::= { pfIfEntry 7 }
+
+pfIfIn4BlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming IPv4 packets blocked."
+	::= { pfIfEntry 8 }
+
+pfIfIn4BlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming IPv4 bytes blocked."
+	::= { pfIfEntry 9 }
+
+pfIfOut4PassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv4 bytes passed out."
+	::= { pfIfEntry 10 }
+
+pfIfOut4PassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv4 bytes passed out."
+	::= { pfIfEntry 11 }
+
+pfIfOut4BlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing IPv4 bytes blocked."
+	::= { pfIfEntry 12 }
+
+pfIfOut4BlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing IPv4 bytes blocked."
+	::= { pfIfEntry 13 }
+
+pfIfIn6PassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv6 packets passed in."
+	::= { pfIfEntry 14 }
+
+pfIfIn6PassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv6 bytes passed in."
+	::= { pfIfEntry 15 }
+
+pfIfIn6BlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming IPv6 packets blocked."
+	::= { pfIfEntry 16 }
+
+pfIfIn6BlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming IPv6 bytes blocked."
+	::= { pfIfEntry 17 }
+
+pfIfOut6PassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv6 bytes passed out."
+	::= { pfIfEntry 18 }
+
+pfIfOut6PassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of IPv6 bytes passed out."
+	::= { pfIfEntry 19 }
+
+pfIfOut6BlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing IPv6 bytes blocked."
+	::= { pfIfEntry 20 }
+
+pfIfOut6BlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing IPv6 bytes blocked."
+	::= { pfIfEntry 21 }
+
+
+-- pfTables
+
+pfTblNumber  OBJECT-TYPE
+	SYNTAX      Integer32
+	MAX-ACCESS  read-only
+	STATUS      current
+	DESCRIPTION
+	"The number of tables present on this system."
+	::= { pfTables 1 }
+
+pfTblTable OBJECT-TYPE
+	SYNTAX		SEQUENCE OF TblEntry
+	MAX-ACCESS	not-accessible
+	STATUS		current
+	DESCRIPTION
+	"A list of individual tables. The number of entries is
+	given by the value of tblNumber."
+	::= { pfTables 128 }
+
+pfTblEntry OBJECT-TYPE
+	SYNTAX      TblEntry
+	MAX-ACCESS  not-accessible
+	STATUS      current
+	DESCRIPTION
+	"An entry containing management information applicable to a
+	particular table."
+	INDEX   { pfTblIndex }
+	::= { pfTblTable 1 }
+
+TblEntry ::=
+	SEQUENCE {
+		pfTblIndex		Integer32,
+		pfTblName			OCTET STRING,
+		pfTblAddresses		Integer32,
+		pfTblAnchorRefs		Integer32,
+		pfTblRuleRefs		Integer32,
+		pfTblEvalsMatch		Counter64,
+		pfTblEvalsNoMatch		Counter64,
+		pfTblInPassPkts		Counter64,
+		pfTblInPassBytes		Counter64,
+		pfTblInBlockPkts		Counter64,
+		pfTblInBlockBytes		Counter64,
+		pfTblInXPassPkts		Counter64,
+		pfTblInXPassBytes		Counter64,
+		pfTblOutPassPkts		Counter64,
+		pfTblOutPassBytes		Counter64,
+		pfTblOutBlockPkts		Counter64,
+		pfTblOutBlockBytes	Counter64,
+		pfTblOutXPassPkts		Counter64,
+		pfTblOutXPassBytes	Counter64,
+		pfTblStatsCleared		TimeTicks
+	}
+
+pfTblIndex OBJECT-TYPE
+	SYNTAX		Integer32 (1..2147483647)
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"A unique value, greater than zero, for each table."
+	::= { pfTblEntry 1 }
+
+pfTblName OBJECT-TYPE
+	SYNTAX		OCTET STRING
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The name of the table."
+	::= { pfTblEntry 2 }
+
+pfTblAddresses OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of addresses currently stored in the table."
+	::= { pfTblEntry 3 }
+
+pfTblAnchorRefs OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of anchors which reference the table."
+	::= { pfTblEntry 4 }
+
+pfTblRuleRefs OBJECT-TYPE
+	SYNTAX		Integer32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of rules which reference the table."
+	::= { pfTblEntry 5 }
+
+pfTblEvalsMatch OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of table evaluations that produced a match."
+	::= { pfTblEntry 6 }
+
+pfTblEvalsNoMatch OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of table evaluations that didn't match."
+	::= { pfTblEntry 7 }
+
+pfTblInPassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of packets passed in that matched the table."
+	::= { pfTblEntry 8 }
+
+pfTblInPassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of bytes passed in that matched the table."
+	::= { pfTblEntry 9 }
+
+pfTblInBlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming packets blocked that matched the table."
+	::= { pfTblEntry 10 }
+
+pfTblInBlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number incoming bytes blocked that matched the table."
+	::= { pfTblEntry 11 }
+
+pfTblInXPassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of packets statefully passed in where the state
+	entry refers to the table, but the table no longer contains
+	the address in question."
+	::= { pfTblEntry 12 }
+
+pfTblInXPassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of bytes statefully passed in where the state
+	entry refers to the table, but the table no longer contains
+	the address in question."
+	::= { pfTblEntry 13 }
+
+pfTblOutPassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of packets passed out that matched the table."
+	::= { pfTblEntry 14 }
+
+pfTblOutPassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of bytes passed out that matched the table."
+	::= { pfTblEntry 15 }
+
+pfTblOutBlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing packets blocked that matched the table."
+	::= { pfTblEntry 16 }
+
+pfTblOutBlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number outgoing bytes blocked that matched the table."
+	::= { pfTblEntry 17 }
+
+pfTblOutXPassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of packets statefully passed out where the state
+	entry refers to the table, but the table no longer contains
+	the address in question."
+	::= { pfTblEntry 18 }
+
+pfTblOutXPassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of bytes statefully passed out where the state
+	entry refers to the table, but the table no longer contains
+	the address in question."
+	::= { pfTblEntry 19 }
+
+pfTblStatsCleared OBJECT-TYPE
+	SYNTAX		TimeTicks
+	UNITS		"1/100th of a Second"
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of seconds that have passed since the statistics
+	for this pf table were zeroed."
+	::= { pfTblEntry 20 }
+
+pfTblAddrTable OBJECT-TYPE
+	SYNTAX		SEQUENCE OF TblAddrEntry
+	MAX-ACCESS	not-accessible
+	STATUS		current
+	DESCRIPTION
+	"A table containing the addresses/CIDR network blocks from 
+	every table on the system."
+	::= { pfTables 129 }
+
+pfTblAddrEntry OBJECT-TYPE
+	SYNTAX		TblAddrEntry
+	MAX-ACCESS	not-accessible
+	STATUS		current
+	DESCRIPTION
+	"An entry containing management information applicable to a
+	particular table."
+	INDEX		{ pfTblAddrTblIndex, pfTblAddrNet, pfTblAddrMask }
+	::= { pfTblAddrTable 1 }
+
+TblAddrEntry ::=
+	SEQUENCE {
+		pfTblAddrTblIndex		Integer32,
+		pfTblAddrNet		IpAddress,
+		pfTblAddrMask		Integer32,
+		pfTblAddrCleared		TimeTicks,
+		pfTblAddrInBlockPkts	Counter64,
+		pfTblAddrInBlockBytes	Counter64,
+		pfTblAddrInPassPkts	Counter64,
+		pfTblAddrInPassBytes	Counter64,
+		pfTblAddrOutBlockPkts	Counter64,
+		pfTblAddrOutBlockBytes	Counter64,
+		pfTblAddrOutPassPkts	Counter64,
+		pfTblAddrOutPassBytes	Counter64
+	}
+
+pfTblAddrTblIndex OBJECT-TYPE
+	SYNTAX		Integer32 (1..2147483647)
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The index value which uniquely identifies the table which
+	contains this pfTblAddrNet/pfTblAddrMask pair."
+	::= { pfTblAddrEntry 1 }
+
+pfTblAddrNet OBJECT-TYPE
+	SYNTAX		IpAddress
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The IP address portion of the CIDR network for this
+	particular table entry."
+	::= { pfTblAddrEntry 2 }
+
+pfTblAddrMask OBJECT-TYPE
+	SYNTAX		Integer32 (0..32)
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The CIDR bitmask for this particular table entry."
+	::= { pfTblAddrEntry 3 }
+
+pfTblAddrCleared OBJECT-TYPE
+	SYNTAX		TimeTicks
+	UNITS      	"1/100th of a Second"
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The time that's passed since the statistics where last cleared, or
+	since the pfTblAddrNet/pfTblAddrMask pair was loaded into the table, 
+	whichever is sooner."
+	::= { pfTblAddrEntry 4 }
+
+pfTblAddrInBlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of inbound packets blocked as a result of matching
+	this table entry."
+	::= { pfTblAddrEntry 5 }
+
+pfTblAddrInBlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of inbound bytes blocked as a result of matching
+	this table entry."
+	::= { pfTblAddrEntry 6 }
+
+pfTblAddrInPassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of inbound packets passed as a result of matching
+	this table entry."
+	::= { pfTblAddrEntry 7 }
+
+pfTblAddrInPassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of inbound bytes passed as a result of matching
+	this table entry."
+	::= { pfTblAddrEntry 8 }
+
+pfTblAddrOutBlockPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outbound packets blocked as a result of matching
+	this table entry."
+	::= { pfTblAddrEntry 9 }
+
+pfTblAddrOutBlockBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outbound bytes blocked as a result of matching
+	this table entry."
+	::= { pfTblAddrEntry 10 }
+
+pfTblAddrOutPassPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outbound packets passed as a result of matchin
+	this table entry."
+	::= { pfTblAddrEntry 11 }
+
+pfTblAddrOutPassBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outbound bytes passed as a result of matchg
+	this table entry."
+	::= { pfTblAddrEntry 12 }
+
+
+-- pfLabels
+
+pfLabelNumber  OBJECT-TYPE
+	SYNTAX      Integer32
+	MAX-ACCESS  read-only
+	STATUS      current
+	DESCRIPTION
+	"The number of labels in the active pf ruleset."
+	::= { pfLabels 1 }
+
+pfLabelTable OBJECT-TYPE
+	SYNTAX		SEQUENCE OF PfLabelEntry
+	MAX-ACCESS	not-accessible
+	STATUS		current
+	DESCRIPTION
+	"A list of individual labels. The number of entries is
+	given by the value of pfLabelNumber."
+	::= { pfLabels 128 }
+
+pfLabelEntry OBJECT-TYPE
+	SYNTAX      PfLabelEntry
+	MAX-ACCESS  not-accessible
+	STATUS      current
+	DESCRIPTION
+	"An entry containing management information applicable to a
+	particular label."
+	INDEX   { pfLabelIndex }
+	::= { pfLabelTable 1 }
+
+PfLabelEntry ::=
+	SEQUENCE {
+		pfLabelIndex		Integer32,
+		pfLabelName		OCTET STRING,
+		pfLabelEvals		Counter64,
+		pfLabelPkts		Counter64,
+		pfLabelBytes		Counter64,
+		pfLabelInPkts		Counter64,
+		pfLabelInBytes		Counter64,
+		pfLabelOutPkts		Counter64,
+		pfLabelOutBytes		Counter64,
+		pfLabelTotalStates	Counter32
+	}
+
+pfLabelIndex OBJECT-TYPE
+	SYNTAX		Integer32 (1..2147483647)
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"A unique value, greater than zero, for each label."
+	::= { pfLabelEntry 1 }
+
+pfLabelName OBJECT-TYPE
+	SYNTAX		OCTET STRING
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The name of the label."
+	::= { pfLabelEntry 2 }
+
+pfLabelEvals OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of rule evaluations."
+	::= { pfLabelEntry 3 }
+
+pfLabelPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The total number of packets matched by the rule."
+	::= { pfLabelEntry 4 }
+
+pfLabelBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The total number of bytes matched by the rule."
+	::= { pfLabelEntry 5 }
+
+pfLabelInPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming packets matched by the rule."
+	::= { pfLabelEntry 6 }
+
+pfLabelInBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of incoming bytes matched by the rule."
+	::= { pfLabelEntry 7 }
+
+pfLabelOutPkts OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing packets matched by the rule."
+	::= { pfLabelEntry 8 }
+
+pfLabelOutBytes OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The number of outgoing bytes matched by the rule."
+	::= { pfLabelEntry 9 }
+
+pfLabelTotalStates OBJECT-TYPE
+	SYNTAX		Counter32
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"The total number of state table entries created by this rule
+	since the ruleset was loaded."
+	::= { pfLabelEntry 10 }
+
+
+-- pfsyncStats
+
+pfsyncIpPktsRecv OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of IPv4 pfsync packets received on all interfaces."
+	::= { pfsyncStats 1 }
+
+pfsyncIp6PktsRecv OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of IPv6 pfsync packets received on all interfaces."
+	::= { pfsyncStats 2 }
+
+pfsyncPktDiscardsForBadInterface OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded because it was received
+	on an interface that is not running pfsync."
+	::= { pfsyncStats 3 }
+
+pfsyncPktDiscardsForBadTtl OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to having a TTL less
+	than 255."
+	::= { pfsyncStats 4 }
+
+pfsyncPktShorterThanHeader OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets received that had a length shorter
+	than the pfsync packet header."
+	::= { pfsyncStats 5 }
+
+pfsyncPktDiscardsForBadVersion OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to incorrect protocol
+	version."
+	::= { pfsyncStats 6 }
+
+pfsyncPktDiscardsForBadAction OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to an invalid pfsync
+	action in the header."
+	::= { pfsyncStats 7 }
+
+pfsyncPktDiscardsForBadLength OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to incorrect size."
+	::= { pfsyncStats 8 }
+
+pfsyncPktDiscardsForBadAuth OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to authentication failure."
+	::= { pfsyncStats 9 }
+
+pfsyncPktDiscardsForStaleState OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded because they tried to update
+	a stale state entry."
+	::= { pfsyncStats 10 }
+
+pfsyncPktDiscardsForBadValues OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to containing bad values."
+	::= { pfsyncStats 11 }
+
+pfsyncPktDiscardsForBadState OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets discarded due to state insert/lookup
+	failure."
+	::= { pfsyncStats 12 }
+
+pfsyncIpPktsSent OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of IPv4 pfsync packets sent on all interfaces."
+	::= { pfsyncStats 13 }
+
+pfsyncIp6PktsSent OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of IPv6 pfsync packets sent on all interfaces."
+	::= { pfsyncStats 14 }
+
+pfsyncNoMemory OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets which could not be sent due to
+	insufficient memory."
+	::= { pfsyncStats 15 }
+
+pfsyncOutputErrors OBJECT-TYPE
+	SYNTAX		Counter64
+	MAX-ACCESS	read-only
+	STATUS		current
+	DESCRIPTION
+	"Number of pfsync packets which could not be sent."
+	::= { pfsyncStats 16 }
+
+END
+
diff --git a/usr.sbin/snmpd/Makefile b/usr.sbin/snmpd/Makefile
index e4a0fd7f69f..65291387f72 100644
--- a/usr.sbin/snmpd/Makefile
+++ b/usr.sbin/snmpd/Makefile
@@ -1,9 +1,10 @@
-#	$OpenBSD: Makefile,v 1.6 2010/05/26 16:44:33 nicm Exp $
+#	$OpenBSD: Makefile,v 1.7 2012/02/23 03:54:38 joel Exp $
 
 PROG=		snmpd
 MAN=		snmpd.8 snmpd.conf.5
 SRCS=		parse.y ber.c log.c control.c snmpe.c \
-		    mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c
+		    mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c \
+		    pf.c
 
 LDADD=		-levent -lutil
 DPADD=		${LIBEVENT} ${LIBUTIL}
diff --git a/usr.sbin/snmpd/mib.c b/usr.sbin/snmpd/mib.c
index 7ac40315e5f..ec04873b914 100644
--- a/usr.sbin/snmpd/mib.c
+++ b/usr.sbin/snmpd/mib.c
@@ -1,6 +1,7 @@
-/*	$OpenBSD: mib.c,v 1.49 2012/01/31 18:00:46 joel Exp $	*/
+/*	$OpenBSD: mib.c,v 1.50 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
+ * Copyright (c) 2012 Joel Knight <joel@openbsd.org>
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -33,6 +34,8 @@
 
 #include <net/if.h>
 #include <net/if_types.h>
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -46,6 +49,7 @@
 #include <event.h>
 #include <fcntl.h>
 #include <string.h>
+#include <time.h>
 #include <unistd.h>
 #include <pwd.h>
 
@@ -1214,6 +1218,7 @@ mib_ifrcvtable(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
 
 /*
  * Defined in 
+ * - OPENBSD-PF-MIB.txt
  * - OPENBSD-SENSORS-MIB.txt
  * - OPENBSD-CARP-MIB.txt
  * (http://www.packetmischief.ca/openbsd-snmp-mibs/)
@@ -1224,10 +1229,29 @@ struct carpif {
 	struct kif	 kif;
 };
 
+int	 mib_pfinfo(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfcounters(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfscounters(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pflogif(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfsrctrack(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pflimits(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftimeouts(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfifnum(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfiftable(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftablenum(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftables(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftableaddrs(struct oid *, struct ber_oid *, struct ber_element **);
+struct ber_oid *
+	 mib_pftableaddrstable(struct oid *, struct ber_oid *, struct ber_oid *);
+int	 mib_pflabelnum(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pflabels(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfsyncstats(struct oid *, struct ber_oid *, struct ber_element **);
+
 int	 mib_sensornum(struct oid *, struct ber_oid *, struct ber_element **);
 int	 mib_sensors(struct oid *, struct ber_oid *, struct ber_element **);
 const char *mib_sensorunit(struct sensor *);
 char	*mib_sensorvalue(struct sensor *);
+
 int	 mib_carpsysctl(struct oid *, struct ber_oid *, struct ber_element **);
 int	 mib_carpstats(struct oid *, struct ber_oid *, struct ber_element **);
 int	 mib_carpiftable(struct oid *, struct ber_oid *, struct ber_element **);
@@ -1237,6 +1261,165 @@ struct carpif
 int	 mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **);
 
 static struct oid openbsd_mib[] = {
+	{ MIB(pfMIBObjects),		OID_MIB },
+	{ MIB(pfRunning),		OID_RD, mib_pfinfo },
+	{ MIB(pfRuntime),		OID_RD, mib_pfinfo },
+	{ MIB(pfDebug),			OID_RD, mib_pfinfo },
+	{ MIB(pfHostid),		OID_RD, mib_pfinfo },
+	{ MIB(pfCntMatch),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntBadOffset),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntFragment),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntShort),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntNormalize),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntMemory),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntTimestamp),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntCongestion),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntIpOptions),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntProtoCksum),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntStateMismatch),	OID_RD, mib_pfcounters },
+	{ MIB(pfCntStateInsert),	OID_RD, mib_pfcounters },
+	{ MIB(pfCntStateLimit),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntSrcLimit),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntSynproxy),		OID_RD, mib_pfcounters },
+	{ MIB(pfStateCount),		OID_RD, mib_pfscounters },
+	{ MIB(pfStateSearches),		OID_RD, mib_pfscounters },
+	{ MIB(pfStateInserts),		OID_RD, mib_pfscounters },
+	{ MIB(pfStateRemovals),		OID_RD, mib_pfscounters },
+	{ MIB(pfLogIfName),		OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpBytesIn),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpBytesOut),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsInPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsInDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsOutPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsOutDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6BytesIn),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6BytesOut),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsInPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsInDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsOutPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsOutDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfSrcTrackCount),		OID_RD, mib_pfsrctrack },
+	{ MIB(pfSrcTrackSearches),	OID_RD, mib_pfsrctrack },
+	{ MIB(pfSrcTrackInserts),	OID_RD, mib_pfsrctrack },
+	{ MIB(pfSrcTrackRemovals),	OID_RD, mib_pfsrctrack },
+	{ MIB(pfLimitStates),		OID_RD, mib_pflimits },
+	{ MIB(pfLimitSourceNodes),	OID_RD, mib_pflimits },
+	{ MIB(pfLimitFragments),	OID_RD, mib_pflimits },
+	{ MIB(pfLimitMaxTables), 	OID_RD, mib_pflimits },
+	{ MIB(pfLimitMaxTableEntries),	OID_RD, mib_pflimits },
+	{ MIB(pfTimeoutTcpFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpOpening),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpEstablished),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpClosing),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpFinWait),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpClosed),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutUdpFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutUdpSingle),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutUdpMultiple),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutIcmpFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutIcmpError),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutOtherFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutOtherSingle),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutOtherMultiple),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutFragment),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutInterval),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutAdaptiveStart),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutAdaptiveEnd),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutSrcTrack),	OID_RD, mib_pftimeouts },
+	{ MIB(pfIfNumber),		OID_RD, mib_pfifnum },
+	{ MIB(pfIfIndex),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfDescr),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfType),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfRefs),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfRules),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4PassPkts),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4PassPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6PassPkts),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6PassPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfTblNumber),		OID_RD, mib_pftablenum },
+	{ MIB(pfTblIndex),		OID_TRD, mib_pftables },
+	{ MIB(pfTblName),		OID_TRD, mib_pftables },
+	{ MIB(pfTblAddresses),		OID_TRD, mib_pftables },
+	{ MIB(pfTblAnchorRefs),		OID_TRD, mib_pftables },
+	{ MIB(pfTblRuleRefs),		OID_TRD, mib_pftables },
+	{ MIB(pfTblEvalsMatch),		OID_TRD, mib_pftables },
+	{ MIB(pfTblEvalsNoMatch),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInPassPkts),		OID_TRD, mib_pftables },
+	{ MIB(pfTblInPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInBlockPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInBlockBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInXPassPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInXPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutPassPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutBlockPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutBlockBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutXPassPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutXPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblStatsCleared),	OID_TRD, mib_pftables },
+	{ MIB(pfTblAddrTblIndex),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrNet),		OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrMask),		OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrCleared),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInBlockPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInBlockBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInPassPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInPassBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutBlockPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutBlockBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutPassPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutPassBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfLabelNumber),		OID_RD, mib_pflabelnum },
+	{ MIB(pfLabelIndex),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelName),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelEvals),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelPkts),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelBytes),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelInPkts),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelInBytes),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelOutPkts),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelOutBytes),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelTotalStates),	OID_TRD, mib_pflabels },
+	{ MIB(pfsyncIpPktsRecv),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncIp6PktsRecv),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadInterface), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadTtl), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktShorterThanHeader), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadVersion), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadAction), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadLength), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadAuth), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForStaleState), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadValues), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadState), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncIpPktsSent),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncIp6PktsSent),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncNoMemory),		OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncOutputErrors),	OID_RD, mib_pfsyncstats },
 	{ MIB(sensorsMIBObjects),	OID_MIB },
 	{ MIB(sensorNumber),		OID_RD,	mib_sensornum },
 	{ MIB(sensorIndex),		OID_TRD, mib_sensors },
@@ -1282,6 +1465,827 @@ static struct oid openbsd_mib[] = {
 };
 
 int
+mib_pfinfo(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	time_t			 runtime;
+	char			 str[11];
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_integer(*elm, s.running);
+		break;
+	case 2:
+		if (s.since > 0)
+			runtime = time(NULL) - s.since;
+		else
+			runtime = 0;
+		runtime *= 100;
+		*elm = ber_add_integer(*elm, runtime);
+		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
+		break;
+	case 3:
+		*elm = ber_add_integer(*elm, s.debug);
+		break;
+	case 4:
+		snprintf(str, sizeof(str), "0x%08x", ntohl(s.hostid));
+		*elm = ber_add_string(*elm, str);
+		break;
+	default:
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pfcounters(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 1, &s.counters[PFRES_MATCH] },
+		{ 2, &s.counters[PFRES_BADOFF] },
+		{ 3, &s.counters[PFRES_FRAG] },
+		{ 4, &s.counters[PFRES_SHORT] },
+		{ 5, &s.counters[PFRES_NORM] },
+		{ 6, &s.counters[PFRES_MEMORY] },
+		{ 7, &s.counters[PFRES_TS] },
+		{ 8, &s.counters[PFRES_CONGEST] },
+		{ 9, &s.counters[PFRES_IPOPTIONS] },
+		{ 10, &s.counters[PFRES_PROTCKSUM] },
+		{ 11, &s.counters[PFRES_BADSTATE] },
+		{ 12, &s.counters[PFRES_STATEINS] },
+		{ 13, &s.counters[PFRES_MAXSTATES] },
+		{ 14, &s.counters[PFRES_SRCLIMIT] },
+		{ 15, &s.counters[PFRES_SYNPROXY] }
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+			ber_set_header(*elm, BER_CLASS_APPLICATION,
+			    SNMP_T_COUNTER64);
+			return (0);
+		}	
+	}
+	return (-1);
+}
+
+int
+mib_pfscounters(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 2, &s.fcounters[FCNT_STATE_SEARCH] },
+		{ 3, &s.fcounters[FCNT_STATE_INSERT] },
+		{ 4, &s.fcounters[FCNT_STATE_REMOVALS] },
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_integer(*elm, s.states);
+		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	default:	
+		for (i = 0;
+		    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+			if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+				*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+				ber_set_header(*elm, BER_CLASS_APPLICATION,
+				    SNMP_T_COUNTER64);
+				return (0);
+			}	
+		}
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pflogif(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 2, &s.bcounters[IPV4][IN] },
+		{ 3, &s.bcounters[IPV4][OUT] },
+		{ 4, &s.pcounters[IPV4][IN][PF_PASS] },
+		{ 5, &s.pcounters[IPV4][IN][PF_DROP] },
+		{ 6, &s.pcounters[IPV4][OUT][PF_PASS] },
+		{ 7, &s.pcounters[IPV4][OUT][PF_DROP] },
+		{ 8, &s.bcounters[IPV6][IN] },
+		{ 9, &s.bcounters[IPV6][OUT] },
+		{ 10, &s.pcounters[IPV6][IN][PF_PASS] },
+		{ 11, &s.pcounters[IPV6][IN][PF_DROP] },
+		{ 12, &s.pcounters[IPV6][OUT][PF_PASS] },
+		{ 13, &s.pcounters[IPV6][OUT][PF_DROP] }
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_string(*elm, s.ifname);
+		break;
+	default:	
+		for (i = 0;
+		    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+			if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+				*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+				ber_set_header(*elm, BER_CLASS_APPLICATION,
+				    SNMP_T_COUNTER64);
+				return (0);
+			}	
+		}
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pfsrctrack(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 2, &s.scounters[SCNT_SRC_NODE_SEARCH] },
+		{ 3, &s.scounters[SCNT_SRC_NODE_INSERT] },
+		{ 4, &s.scounters[SCNT_SRC_NODE_REMOVALS] }
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_integer(*elm, s.src_nodes);
+		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	default:	
+		for (i = 0;
+		    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+			if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+				*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+				ber_set_header(*elm, BER_CLASS_APPLICATION,
+				    SNMP_T_COUNTER64);
+				return (0);
+			}	
+		}
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pflimits(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pfioc_limit	 pl;
+	int			 i;
+	extern int		 devpf;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int8_t	 m_limit;
+	}			 mapping[] = {
+		{ 1, PF_LIMIT_STATES },
+		{ 2, PF_LIMIT_SRC_NODES },
+		{ 3, PF_LIMIT_FRAGS },
+		{ 4, PF_LIMIT_TABLES },
+		{ 5, PF_LIMIT_TABLE_ENTRIES }
+	};
+
+	memset(&pl, 0, sizeof(pl));
+	pl.index = PF_LIMIT_MAX;
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			pl.index = mapping[i].m_limit;
+			break;
+		}	
+	}
+
+	if (pl.index == PF_LIMIT_MAX)
+		return (-1);
+
+	if (ioctl(devpf, DIOCGETLIMIT, &pl)) {
+		log_warn("DIOCGETLIMIT");
+		return (-1);
+	}
+
+	*elm = ber_add_integer(*elm, pl.limit);
+	ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+
+	return (0);
+}
+
+int
+mib_pftimeouts(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pfioc_tm		 pt;
+	int			 i;
+	extern int		 devpf;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int8_t	 m_tm;
+	}			 mapping[] = {
+		{ 1, PFTM_TCP_FIRST_PACKET },
+		{ 2, PFTM_TCP_OPENING },
+		{ 3, PFTM_TCP_ESTABLISHED },
+		{ 4, PFTM_TCP_CLOSING },
+		{ 5, PFTM_TCP_FIN_WAIT },
+		{ 6, PFTM_TCP_CLOSED },
+		{ 7, PFTM_UDP_FIRST_PACKET },
+		{ 8, PFTM_UDP_SINGLE },
+		{ 9, PFTM_UDP_MULTIPLE },
+		{ 10, PFTM_ICMP_FIRST_PACKET },
+		{ 11, PFTM_ICMP_ERROR_REPLY },
+		{ 12, PFTM_OTHER_FIRST_PACKET },
+		{ 13, PFTM_OTHER_SINGLE },
+		{ 14, PFTM_OTHER_MULTIPLE },
+		{ 15, PFTM_FRAG },
+		{ 16, PFTM_INTERVAL },
+		{ 17, PFTM_ADAPTIVE_START },
+		{ 18, PFTM_ADAPTIVE_END },
+		{ 19, PFTM_SRC_NODE }
+	};
+
+	memset(&pt, 0, sizeof(pt));
+	pt.timeout = PFTM_MAX;
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			pt.timeout = mapping[i].m_tm;
+			break;
+		}	
+	}
+
+	if (pt.timeout == PFTM_MAX)
+		return (-1);
+
+	if (ioctl(devpf, DIOCGETTIMEOUT, &pt)) {
+		log_warn("DIOCGETTIMEOUT");
+		return (-1);
+	}
+
+	*elm = ber_add_integer(*elm, pt.seconds);
+
+	return (0);
+}
+
+int
+mib_pfifnum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	int	 c;
+
+	if ((c = pfi_count()) == -1)
+		return (-1);
+
+	*elm = ber_add_integer(*elm, c);
+
+	return (0);
+}
+
+int
+mib_pfiftable(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfi_kif		 pif;
+	int			 idx, iftype;
+
+	/* Get and verify the current row index */
+	idx = o->bo_id[OIDIDX_pfIfEntry];
+
+	if (pfi_get_if(&pif, idx))
+		return (1);
+
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfInterface]) {
+	case 1:
+		ber = ber_add_integer(ber, idx);
+		break;
+	case 2:
+		ber = ber_add_string(ber, pif.pfik_name);
+		break;
+	case 3:
+		iftype = (pif.pfik_ifp == NULL ? PFI_IFTYPE_GROUP
+		    : PFI_IFTYPE_INSTANCE);
+		ber = ber_add_integer(ber, iftype);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, pif.pfik_states);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, pif.pfik_rules);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 11:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 12:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 13:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 14:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 15:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 16:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 17:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 18:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 19:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 20:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 21:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	default:
+		return (1);
+	}
+	
+	return (0);
+}
+
+int
+mib_pftablenum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	int	 c;
+
+	if ((c = pft_count()) == -1)
+		return (-1);
+
+	*elm = ber_add_integer(*elm, c);
+
+	return (0);
+}
+
+int
+mib_pftables(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfr_tstats	 ts;
+	time_t			 tzero;
+	int			 idx;
+
+	/* Get and verify the current row index */
+	idx = o->bo_id[OIDIDX_pfTableEntry];
+
+	if (pft_get_table(&ts, idx))
+		return (1);
+
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfTable]) {
+	case 1:
+		ber = ber_add_integer(ber, idx);
+		break;
+	case 2:
+		ber = ber_add_string(ber, ts.pfrts_name);
+		break;
+	case 3:
+		ber = ber_add_integer(ber, ts.pfrts_cnt);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, ts.pfrts_refcnt[PFR_REFCNT_ANCHOR]);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, ts.pfrts_refcnt[PFR_REFCNT_RULE]);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, ts.pfrts_match);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, ts.pfrts_nomatch);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, ts.pfrts_packets[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, ts.pfrts_packets[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 11:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 12:
+		ber = ber_add_integer(ber, ts.pfrts_packets[IN][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 13:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[IN][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 14:
+		ber = ber_add_integer(ber, ts.pfrts_packets[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 15:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 16:
+		ber = ber_add_integer(ber, ts.pfrts_packets[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 17:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 18:
+		ber = ber_add_integer(ber, ts.pfrts_packets[OUT][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 19:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[OUT][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 20:
+		tzero = (time(NULL) - ts.pfrts_tzero) * 100;
+		ber = ber_add_integer(ber, tzero);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
+		break;
+	default:
+		return (1);
+	}
+
+	return (0);
+}
+
+int
+mib_pftableaddrs(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfr_astats	 as;
+	int			 tblidx;
+
+	tblidx = o->bo_id[OIDIDX_pfTblAddr + 1];
+	mps_decodeinaddr(o, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
+	as.pfras_a.pfra_net = o->bo_id[OIDIDX_pfTblAddr + 6];
+
+	if (pfta_get_addr(&as, tblidx))
+		return (-1);
+
+	/* write OID */
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfTblAddr]) {
+	case 1:
+		ber = ber_add_integer(ber, tblidx);
+		break;
+	case 2:
+		ber = ber_add_nstring(ber, (char *)&as.pfras_a.pfra_ip4addr,
+		    sizeof(u_int32_t));
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR);
+		break;
+	case 3:
+		ber = ber_add_integer(ber, as.pfras_a.pfra_net);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, (time(NULL) - as.pfras_tzero) * 100);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, as.pfras_packets[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, as.pfras_bytes[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, as.pfras_packets[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, as.pfras_bytes[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, as.pfras_packets[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, as.pfras_bytes[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 11:
+		ber = ber_add_integer(ber, as.pfras_packets[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 12:
+		ber = ber_add_integer(ber, as.pfras_bytes[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	default:
+		return (-1);
+	}
+
+	return (0);
+}
+
+struct ber_oid *
+mib_pftableaddrstable(struct oid *oid, struct ber_oid *o, struct ber_oid *no)
+{
+	struct pfr_astats	 as;
+	struct oid		 a, b;
+	u_int32_t		 id, tblidx;
+
+	bcopy(&oid->o_id, no, sizeof(*no));
+	id = oid->o_oidlen - 1;
+
+	if (o->bo_n >= oid->o_oidlen) {
+		/*
+		 * Compare the requested and the matched OID to see
+		 * if we have to iterate to the next element.
+		 */
+		bzero(&a, sizeof(a));
+		bcopy(o, &a.o_id, sizeof(struct ber_oid));
+		bzero(&b, sizeof(b));
+		bcopy(&oid->o_id, &b.o_id, sizeof(struct ber_oid));
+		b.o_oidlen--;
+		b.o_flags |= OID_TABLE;
+		if (smi_oid_cmp(&a, &b) == 0) {
+			o->bo_id[id] = oid->o_oid[id];
+			bcopy(o, no, sizeof(*no));
+		}
+	}
+
+	tblidx = no->bo_id[OIDIDX_pfTblAddr + 1];
+	mps_decodeinaddr(no, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
+	as.pfras_a.pfra_net = no->bo_id[OIDIDX_pfTblAddr + 6];
+	
+	if (tblidx == 0) {
+		if (pfta_get_first(&as))
+			return (NULL);
+		tblidx = 1;
+	} else {
+		if (pfta_get_nextaddr(&as, &tblidx)) {
+			/* We reached the last addr in the last table.
+			 * When the next OIDIDX_pfTblAddr'th OID is requested,
+			 * get the first table address again.
+			 */
+			o->bo_id[OIDIDX_pfTblAddr + 1] = 0;
+			smi_oidlen(o);
+			return (NULL);
+		}
+	}
+
+	no->bo_id[OIDIDX_pfTblAddr + 1] = tblidx;
+	mps_encodeinaddr(no, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
+	no->bo_id[OIDIDX_pfTblAddr + 6] = as.pfras_a.pfra_net;
+	no->bo_n += 1;
+
+	smi_oidlen(o);
+
+	return (no);
+}
+
+int
+mib_pflabelnum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pfioc_rule	 pr;
+	u_int32_t		 nr, mnr, lnr;
+	extern int		 devpf;
+
+	memset(&pr, 0, sizeof(pr));
+	if (ioctl(devpf, DIOCGETRULES, &pr)) {
+		log_warn("DIOCGETRULES");
+		return (-1);
+	}
+
+	mnr = pr.nr;
+	lnr = 0;
+	for (nr = 0; nr < mnr; ++nr) {
+		pr.nr = nr;
+		if (ioctl(devpf, DIOCGETRULE, &pr)) {
+			log_warn("DIOCGETRULE");
+			return (-1);
+		}
+
+		if (pr.rule.label[0])
+			lnr++;
+	}
+
+	*elm = ber_add_integer(*elm, lnr);
+
+	return (0);
+}
+
+int
+mib_pflabels(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfioc_rule	 pr;
+	struct pf_rule		*r = NULL;
+	u_int32_t		 nr, mnr, lnr;
+	u_int32_t		 idx;
+	extern int		 devpf;
+
+	/* Get and verify the current row index */
+	idx = o->bo_id[OIDIDX_pfLabelEntry];
+
+	memset(&pr, 0, sizeof(pr));
+	if (ioctl(devpf, DIOCGETRULES, &pr)) {
+		log_warn("DIOCGETRULES");
+		return (-1);
+	}
+
+	mnr = pr.nr;
+	lnr = 0;
+	for (nr = 0; nr < mnr; ++nr) {
+		pr.nr = nr;
+		if (ioctl(devpf, DIOCGETRULE, &pr)) {
+			log_warn("DIOCGETRULE");
+			return (-1);
+		}
+
+		if (pr.rule.label[0] && ++lnr == idx) {
+			r = &pr.rule;
+			break;
+		}
+	}
+
+	if (r == NULL)
+		return (1);
+
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfLabel]) {
+	case 1:
+		ber = ber_add_integer(ber, lnr);
+		break;
+	case 2:
+		ber = ber_add_string(ber, r->label);
+		break;
+	case 3:
+		ber = ber_add_integer(ber, r->evaluations);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, r->packets[IN] + r->packets[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, r->bytes[IN] + r->bytes[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, r->packets[IN]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, r->bytes[IN]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, r->packets[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, r->bytes[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, r->states_tot);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER32);
+		break;
+	default:
+		return (1);
+	}
+
+	return (0);
+}
+
+int
+mib_pfsyncstats(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	int			 i;
+	int 			 mib[] = { CTL_NET, AF_INET, IPPROTO_PFSYNC, 
+				    PFSYNCCTL_STATS };
+	size_t			 len = sizeof(struct pfsyncstats);
+	struct pfsyncstats 	 s;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 1, &s.pfsyncs_ipackets },
+		{ 2, &s.pfsyncs_ipackets6 },
+		{ 3, &s.pfsyncs_badif },
+		{ 4, &s.pfsyncs_badttl },
+		{ 5, &s.pfsyncs_hdrops },
+		{ 6, &s.pfsyncs_badver },
+		{ 7, &s.pfsyncs_badact },
+		{ 8, &s.pfsyncs_badlen },
+		{ 9, &s.pfsyncs_badauth },
+		{ 10, &s.pfsyncs_stale },
+		{ 11, &s.pfsyncs_badval },
+		{ 12, &s.pfsyncs_badstate },
+		{ 13, &s.pfsyncs_opackets },
+		{ 14, &s.pfsyncs_opackets6 },
+		{ 15, &s.pfsyncs_onomem },
+		{ 16, &s.pfsyncs_oerrors }
+	};
+	
+	if (sysctl(mib, 4, &s, &len, NULL, 0) == -1) {
+		log_warn("sysctl");
+		return (-1);
+	}
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+			ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+			return (0);
+		}	
+	}
+
+	return (-1);
+}
+
+int
 mib_sensornum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
 {
 	struct sensordev	 sensordev;
diff --git a/usr.sbin/snmpd/mib.h b/usr.sbin/snmpd/mib.h
index 2b8f9d461f8..b9b83dfe096 100644
--- a/usr.sbin/snmpd/mib.h
+++ b/usr.sbin/snmpd/mib.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mib.h,v 1.23 2012/01/31 18:17:19 joel Exp $	*/
+/*	$OpenBSD: mib.h,v 1.24 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -398,6 +398,179 @@
 
 /* OPENBSD-MIB */
 #define MIB_pfMIBObjects		MIB_openBSD, 1
+#define MIB_pfInfo			MIB_pfMIBObjects, 1
+#define MIB_pfRunning			MIB_pfInfo, 1
+#define MIB_pfRuntime			MIB_pfInfo, 2
+#define MIB_pfDebug			MIB_pfInfo, 3
+#define MIB_pfHostid			MIB_pfInfo, 4
+#define MIB_pfCounters			MIB_pfMIBObjects, 2
+#define MIB_pfCntMatch			MIB_pfCounters, 1
+#define MIB_pfCntBadOffset		MIB_pfCounters, 2
+#define MIB_pfCntFragment		MIB_pfCounters, 3
+#define MIB_pfCntShort			MIB_pfCounters, 4
+#define MIB_pfCntNormalize		MIB_pfCounters, 5
+#define MIB_pfCntMemory			MIB_pfCounters, 6
+#define MIB_pfCntTimestamp		MIB_pfCounters, 7
+#define MIB_pfCntCongestion		MIB_pfCounters, 8
+#define MIB_pfCntIpOptions		MIB_pfCounters, 9
+#define MIB_pfCntProtoCksum		MIB_pfCounters, 10
+#define MIB_pfCntStateMismatch		MIB_pfCounters, 11
+#define MIB_pfCntStateInsert		MIB_pfCounters, 12
+#define MIB_pfCntStateLimit		MIB_pfCounters, 13
+#define MIB_pfCntSrcLimit		MIB_pfCounters, 14
+#define MIB_pfCntSynproxy		MIB_pfCounters, 15
+#define MIB_pfStateTable		MIB_pfMIBObjects, 3
+#define MIB_pfStateCount		MIB_pfStateTable, 1
+#define MIB_pfStateSearches		MIB_pfStateTable, 2
+#define MIB_pfStateInserts		MIB_pfStateTable, 3
+#define MIB_pfStateRemovals		MIB_pfStateTable, 4
+#define MIB_pfLogInterface		MIB_pfMIBObjects, 4
+#define MIB_pfLogIfName			MIB_pfLogInterface, 1
+#define MIB_pfLogIfIpBytesIn		MIB_pfLogInterface, 2
+#define MIB_pfLogIfIpBytesOut		MIB_pfLogInterface, 3
+#define MIB_pfLogIfIpPktsInPass		MIB_pfLogInterface, 4
+#define MIB_pfLogIfIpPktsInDrop		MIB_pfLogInterface, 5
+#define MIB_pfLogIfIpPktsOutPass	MIB_pfLogInterface, 6
+#define MIB_pfLogIfIpPktsOutDrop	MIB_pfLogInterface, 7
+#define MIB_pfLogIfIp6BytesIn		MIB_pfLogInterface, 8
+#define MIB_pfLogIfIp6BytesOut		MIB_pfLogInterface, 9
+#define MIB_pfLogIfIp6PktsInPass	MIB_pfLogInterface, 10
+#define MIB_pfLogIfIp6PktsInDrop	MIB_pfLogInterface, 11
+#define MIB_pfLogIfIp6PktsOutPass	MIB_pfLogInterface, 12
+#define MIB_pfLogIfIp6PktsOutDrop	MIB_pfLogInterface, 13
+#define MIB_pfSrcTracking		MIB_pfMIBObjects, 5
+#define MIB_pfSrcTrackCount		MIB_pfSrcTracking, 1
+#define MIB_pfSrcTrackSearches		MIB_pfSrcTracking, 2
+#define MIB_pfSrcTrackInserts		MIB_pfSrcTracking, 3
+#define MIB_pfSrcTrackRemovals		MIB_pfSrcTracking, 4
+#define MIB_pfLimits			MIB_pfMIBObjects, 6
+#define MIB_pfLimitStates		MIB_pfLimits, 1
+#define MIB_pfLimitSourceNodes		MIB_pfLimits, 2
+#define MIB_pfLimitFragments		MIB_pfLimits, 3
+#define MIB_pfLimitMaxTables		MIB_pfLimits, 4
+#define MIB_pfLimitMaxTableEntries	MIB_pfLimits, 5
+#define MIB_pfTimeouts			MIB_pfMIBObjects, 7
+#define MIB_pfTimeoutTcpFirst		MIB_pfTimeouts, 1
+#define MIB_pfTimeoutTcpOpening		MIB_pfTimeouts, 2
+#define MIB_pfTimeoutTcpEstablished	MIB_pfTimeouts, 3
+#define MIB_pfTimeoutTcpClosing		MIB_pfTimeouts, 4
+#define MIB_pfTimeoutTcpFinWait		MIB_pfTimeouts, 5
+#define MIB_pfTimeoutTcpClosed		MIB_pfTimeouts, 6
+#define MIB_pfTimeoutUdpFirst		MIB_pfTimeouts, 7
+#define MIB_pfTimeoutUdpSingle		MIB_pfTimeouts, 8
+#define MIB_pfTimeoutUdpMultiple	MIB_pfTimeouts, 9
+#define MIB_pfTimeoutIcmpFirst		MIB_pfTimeouts, 10
+#define MIB_pfTimeoutIcmpError		MIB_pfTimeouts, 11
+#define MIB_pfTimeoutOtherFirst		MIB_pfTimeouts, 12
+#define MIB_pfTimeoutOtherSingle	MIB_pfTimeouts, 13
+#define MIB_pfTimeoutOtherMultiple	MIB_pfTimeouts, 14
+#define MIB_pfTimeoutFragment		MIB_pfTimeouts, 15
+#define MIB_pfTimeoutInterval		MIB_pfTimeouts, 16
+#define MIB_pfTimeoutAdaptiveStart	MIB_pfTimeouts, 17
+#define MIB_pfTimeoutAdaptiveEnd	MIB_pfTimeouts, 18
+#define MIB_pfTimeoutSrcTrack		MIB_pfTimeouts, 19
+#define OIDIDX_pfstatus			9
+#define MIB_pfInterfaces		MIB_pfMIBObjects, 8
+#define MIB_pfIfNumber			MIB_pfInterfaces, 1
+#define MIB_pfIfTable			MIB_pfInterfaces, 128
+#define MIB_pfIfEntry			MIB_pfIfTable, 1
+#define OIDIDX_pfInterface		11
+#define OIDIDX_pfIfEntry		12
+#define MIB_pfIfIndex			MIB_pfIfEntry, 1
+#define MIB_pfIfDescr			MIB_pfIfEntry, 2
+#define MIB_pfIfType			MIB_pfIfEntry, 3
+#define MIB_pfIfRefs			MIB_pfIfEntry, 4
+#define MIB_pfIfRules			MIB_pfIfEntry, 5
+#define MIB_pfIfIn4PassPkts		MIB_pfIfEntry, 6
+#define MIB_pfIfIn4PassBytes		MIB_pfIfEntry, 7
+#define MIB_pfIfIn4BlockPkts		MIB_pfIfEntry, 8
+#define MIB_pfIfIn4BlockBytes		MIB_pfIfEntry, 9
+#define MIB_pfIfOut4PassPkts		MIB_pfIfEntry, 10
+#define MIB_pfIfOut4PassBytes		MIB_pfIfEntry, 11
+#define MIB_pfIfOut4BlockPkts		MIB_pfIfEntry, 12
+#define MIB_pfIfOut4BlockBytes		MIB_pfIfEntry, 13
+#define MIB_pfIfIn6PassPkts		MIB_pfIfEntry, 14
+#define MIB_pfIfIn6PassBytes		MIB_pfIfEntry, 15
+#define MIB_pfIfIn6BlockPkts		MIB_pfIfEntry, 16
+#define MIB_pfIfIn6BlockBytes		MIB_pfIfEntry, 17
+#define MIB_pfIfOut6PassPkts		MIB_pfIfEntry, 18
+#define MIB_pfIfOut6PassBytes		MIB_pfIfEntry, 19
+#define MIB_pfIfOut6BlockPkts		MIB_pfIfEntry, 20
+#define MIB_pfIfOut6BlockBytes		MIB_pfIfEntry, 21
+#define MIB_pfTables			MIB_pfMIBObjects, 9
+#define MIB_pfTblNumber			MIB_pfTables, 1
+#define MIB_pfTblTable			MIB_pfTables, 128
+#define MIB_pfTblEntry			MIB_pfTblTable, 1
+#define OIDIDX_pfTable			11
+#define OIDIDX_pfTableEntry		12
+#define MIB_pfTblIndex			MIB_pfTblEntry, 1
+#define MIB_pfTblName			MIB_pfTblEntry, 2
+#define MIB_pfTblAddresses		MIB_pfTblEntry, 3
+#define MIB_pfTblAnchorRefs		MIB_pfTblEntry, 4
+#define MIB_pfTblRuleRefs		MIB_pfTblEntry, 5
+#define MIB_pfTblEvalsMatch		MIB_pfTblEntry, 6
+#define MIB_pfTblEvalsNoMatch		MIB_pfTblEntry, 7
+#define MIB_pfTblInPassPkts		MIB_pfTblEntry, 8
+#define MIB_pfTblInPassBytes		MIB_pfTblEntry, 9
+#define MIB_pfTblInBlockPkts		MIB_pfTblEntry, 10
+#define MIB_pfTblInBlockBytes		MIB_pfTblEntry, 11
+#define MIB_pfTblInXPassPkts		MIB_pfTblEntry, 12
+#define MIB_pfTblInXPassBytes		MIB_pfTblEntry, 13
+#define MIB_pfTblOutPassPkts		MIB_pfTblEntry, 14
+#define MIB_pfTblOutPassBytes		MIB_pfTblEntry, 15
+#define MIB_pfTblOutBlockPkts		MIB_pfTblEntry, 16
+#define MIB_pfTblOutBlockBytes		MIB_pfTblEntry, 17
+#define MIB_pfTblOutXPassPkts		MIB_pfTblEntry, 18
+#define MIB_pfTblOutXPassBytes		MIB_pfTblEntry, 19
+#define MIB_pfTblStatsCleared		MIB_pfTblEntry, 20
+#define MIB_pfTblAddrTable		MIB_pfTables, 129
+#define MIB_pfTblAddrEntry		MIB_pfTblAddrTable, 1
+#define OIDIDX_pfTblAddr		11
+#define MIB_pfTblAddrTblIndex		MIB_pfTblAddrEntry, 1
+#define MIB_pfTblAddrNet		MIB_pfTblAddrEntry, 2
+#define MIB_pfTblAddrMask		MIB_pfTblAddrEntry, 3
+#define MIB_pfTblAddrCleared		MIB_pfTblAddrEntry, 4
+#define MIB_pfTblAddrInBlockPkts	MIB_pfTblAddrEntry, 5
+#define MIB_pfTblAddrInBlockBytes	MIB_pfTblAddrEntry, 6
+#define MIB_pfTblAddrInPassPkts		MIB_pfTblAddrEntry, 7
+#define MIB_pfTblAddrInPassBytes	MIB_pfTblAddrEntry, 8
+#define MIB_pfTblAddrOutBlockPkts	MIB_pfTblAddrEntry, 9
+#define MIB_pfTblAddrOutBlockBytes	MIB_pfTblAddrEntry, 10
+#define MIB_pfTblAddrOutPassPkts	MIB_pfTblAddrEntry, 11
+#define MIB_pfTblAddrOutPassBytes	MIB_pfTblAddrEntry, 12
+#define MIB_pfLabels			MIB_pfMIBObjects, 10
+#define MIB_pfLabelNumber		MIB_pfLabels, 1
+#define MIB_pfLabelTable		MIB_pfLabels, 128
+#define OIDIDX_pfLabel			11
+#define OIDIDX_pfLabelEntry		12
+#define MIB_pfLabelEntry		MIB_pfLabelTable, 1
+#define MIB_pfLabelIndex		MIB_pfLabelEntry, 1
+#define MIB_pfLabelName			MIB_pfLabelEntry, 2
+#define MIB_pfLabelEvals		MIB_pfLabelEntry, 3
+#define MIB_pfLabelPkts			MIB_pfLabelEntry, 4
+#define MIB_pfLabelBytes		MIB_pfLabelEntry, 5
+#define MIB_pfLabelInPkts		MIB_pfLabelEntry, 6
+#define MIB_pfLabelInBytes		MIB_pfLabelEntry, 7
+#define MIB_pfLabelOutPkts		MIB_pfLabelEntry, 8
+#define MIB_pfLabelOutBytes		MIB_pfLabelEntry, 9
+#define MIB_pfLabelTotalStates		MIB_pfLabelEntry, 10
+#define MIB_pfsyncStats			MIB_pfMIBObjects, 11
+#define MIB_pfsyncIpPktsRecv		MIB_pfsyncStats, 1
+#define MIB_pfsyncIp6PktsRecv		MIB_pfsyncStats, 2
+#define MIB_pfsyncPktDiscardsForBadInterface	MIB_pfsyncStats, 3
+#define MIB_pfsyncPktDiscardsForBadTtl		MIB_pfsyncStats, 4
+#define MIB_pfsyncPktShorterThanHeader		MIB_pfsyncStats, 5
+#define MIB_pfsyncPktDiscardsForBadVersion	MIB_pfsyncStats, 6
+#define MIB_pfsyncPktDiscardsForBadAction	MIB_pfsyncStats, 7
+#define MIB_pfsyncPktDiscardsForBadLength	MIB_pfsyncStats, 8
+#define MIB_pfsyncPktDiscardsForBadAuth		MIB_pfsyncStats, 9
+#define MIB_pfsyncPktDiscardsForStaleState	MIB_pfsyncStats, 10
+#define MIB_pfsyncPktDiscardsForBadValues	MIB_pfsyncStats, 11
+#define MIB_pfsyncPktDiscardsForBadState	MIB_pfsyncStats, 12
+#define MIB_pfsyncIpPktsSent		MIB_pfsyncStats, 13
+#define MIB_pfsyncIp6PktsSent		MIB_pfsyncStats, 14
+#define MIB_pfsyncNoMemory		MIB_pfsyncStats, 15
+#define MIB_pfsyncOutputErrors		MIB_pfsyncStats, 16
 #define MIB_sensorsMIBObjects		MIB_openBSD, 2
 #define MIB_sensors			MIB_sensorsMIBObjects, 1
 #define MIB_sensorNumber		MIB_sensors, 1
@@ -719,6 +892,172 @@
 	{ MIBDECL(vantronix) },				\
 	{ MIBDECL(openBSD) },				\
 							\
+	{ MIBDECL(pfMIBObjects) },			\
+	{ MIBDECL(pfInfo) },				\
+	{ MIBDECL(pfRunning) },				\
+	{ MIBDECL(pfRuntime) },				\
+	{ MIBDECL(pfDebug) },				\
+	{ MIBDECL(pfHostid) },				\
+	{ MIBDECL(pfCounters) },			\
+	{ MIBDECL(pfCntMatch) },			\
+	{ MIBDECL(pfCntBadOffset) },			\
+	{ MIBDECL(pfCntFragment) },			\
+	{ MIBDECL(pfCntShort) },			\
+	{ MIBDECL(pfCntNormalize) },			\
+	{ MIBDECL(pfCntMemory) },			\
+	{ MIBDECL(pfCntTimestamp) },			\
+	{ MIBDECL(pfCntCongestion) },			\
+	{ MIBDECL(pfCntIpOptions) },			\
+	{ MIBDECL(pfCntProtoCksum) },			\
+	{ MIBDECL(pfCntStateMismatch) },		\
+	{ MIBDECL(pfCntStateInsert) },			\
+	{ MIBDECL(pfCntStateLimit) },			\
+	{ MIBDECL(pfCntSrcLimit) },			\
+	{ MIBDECL(pfCntSynproxy) },			\
+	{ MIBDECL(pfStateTable) },			\
+	{ MIBDECL(pfStateCount) },			\
+	{ MIBDECL(pfStateSearches) },			\
+	{ MIBDECL(pfStateInserts) },			\
+	{ MIBDECL(pfStateRemovals) },			\
+	{ MIBDECL(pfLogInterface) },			\
+	{ MIBDECL(pfLogIfName) },			\
+	{ MIBDECL(pfLogIfIpBytesIn) },			\
+	{ MIBDECL(pfLogIfIpBytesOut) },			\
+	{ MIBDECL(pfLogIfIpPktsInPass) },		\
+	{ MIBDECL(pfLogIfIpPktsInDrop) },		\
+	{ MIBDECL(pfLogIfIpPktsOutPass) },		\
+	{ MIBDECL(pfLogIfIpPktsOutDrop) },		\
+	{ MIBDECL(pfLogIfIp6BytesIn) },			\
+	{ MIBDECL(pfLogIfIp6BytesOut) },		\
+	{ MIBDECL(pfLogIfIp6PktsInPass) },		\
+	{ MIBDECL(pfLogIfIp6PktsInDrop) },		\
+	{ MIBDECL(pfLogIfIp6PktsOutPass) },		\
+	{ MIBDECL(pfLogIfIp6PktsOutDrop) },		\
+	{ MIBDECL(pfSrcTracking) },			\
+	{ MIBDECL(pfSrcTrackCount) },			\
+	{ MIBDECL(pfSrcTrackSearches) },		\
+	{ MIBDECL(pfSrcTrackInserts) },			\
+	{ MIBDECL(pfSrcTrackRemovals) },		\
+	{ MIBDECL(pfLimits) },				\
+	{ MIBDECL(pfLimitStates) },			\
+	{ MIBDECL(pfLimitSourceNodes) },		\
+	{ MIBDECL(pfLimitFragments) },			\
+	{ MIBDECL(pfLimitMaxTables) },			\
+	{ MIBDECL(pfLimitMaxTableEntries) },		\
+	{ MIBDECL(pfTimeouts) },			\
+	{ MIBDECL(pfTimeoutTcpFirst) },			\
+	{ MIBDECL(pfTimeoutTcpOpening) },		\
+	{ MIBDECL(pfTimeoutTcpEstablished) },		\
+	{ MIBDECL(pfTimeoutTcpClosing) },		\
+	{ MIBDECL(pfTimeoutTcpFinWait) },		\
+	{ MIBDECL(pfTimeoutTcpClosed) },		\
+	{ MIBDECL(pfTimeoutUdpFirst) },			\
+	{ MIBDECL(pfTimeoutUdpSingle) },		\
+	{ MIBDECL(pfTimeoutUdpMultiple) },		\
+	{ MIBDECL(pfTimeoutIcmpFirst) },		\
+	{ MIBDECL(pfTimeoutIcmpError) },		\
+	{ MIBDECL(pfTimeoutOtherFirst) },		\
+	{ MIBDECL(pfTimeoutOtherSingle) },		\
+	{ MIBDECL(pfTimeoutOtherMultiple) },		\
+	{ MIBDECL(pfTimeoutFragment) },			\
+	{ MIBDECL(pfTimeoutInterval) },			\
+	{ MIBDECL(pfTimeoutAdaptiveStart) },		\
+	{ MIBDECL(pfTimeoutAdaptiveEnd) },		\
+	{ MIBDECL(pfTimeoutSrcTrack) },			\
+	{ MIBDECL(pfInterfaces) },			\
+	{ MIBDECL(pfIfNumber) },			\
+	{ MIBDECL(pfIfTable) },				\
+	{ MIBDECL(pfIfEntry) },				\
+	{ MIBDECL(pfIfIndex) },				\
+	{ MIBDECL(pfIfDescr) },				\
+	{ MIBDECL(pfIfType) },				\
+	{ MIBDECL(pfIfRefs) },				\
+	{ MIBDECL(pfIfRules) },				\
+	{ MIBDECL(pfIfIn4PassPkts) },			\
+	{ MIBDECL(pfIfIn4PassBytes) },			\
+	{ MIBDECL(pfIfIn4BlockPkts) },			\
+	{ MIBDECL(pfIfIn4BlockBytes) },			\
+	{ MIBDECL(pfIfOut4PassPkts) },			\
+	{ MIBDECL(pfIfOut4PassBytes) },			\
+	{ MIBDECL(pfIfOut4BlockPkts) },			\
+	{ MIBDECL(pfIfOut4BlockBytes) },		\
+	{ MIBDECL(pfIfIn6PassPkts) },			\
+	{ MIBDECL(pfIfIn6PassBytes) },			\
+	{ MIBDECL(pfIfIn6BlockPkts) },			\
+	{ MIBDECL(pfIfIn6BlockBytes) },			\
+	{ MIBDECL(pfIfOut6PassPkts) },			\
+	{ MIBDECL(pfIfOut6PassBytes) },			\
+	{ MIBDECL(pfIfOut6BlockPkts) },			\
+	{ MIBDECL(pfIfOut6BlockBytes) },		\
+	{ MIBDECL(pfTables) },				\
+	{ MIBDECL(pfTblNumber) },			\
+	{ MIBDECL(pfTblTable) },			\
+	{ MIBDECL(pfTblEntry) },			\
+	{ MIBDECL(pfTblIndex) },			\
+	{ MIBDECL(pfTblName) },				\
+	{ MIBDECL(pfTblAddresses) },			\
+	{ MIBDECL(pfTblAnchorRefs) },			\
+	{ MIBDECL(pfTblRuleRefs) },			\
+	{ MIBDECL(pfTblEvalsMatch) },			\
+	{ MIBDECL(pfTblEvalsNoMatch) },			\
+	{ MIBDECL(pfTblInPassPkts) },			\
+	{ MIBDECL(pfTblInPassBytes) },			\
+	{ MIBDECL(pfTblInBlockPkts) },			\
+	{ MIBDECL(pfTblInBlockBytes) },			\
+	{ MIBDECL(pfTblInXPassPkts) },			\
+	{ MIBDECL(pfTblInXPassBytes) },			\
+	{ MIBDECL(pfTblOutPassPkts) },			\
+	{ MIBDECL(pfTblOutPassBytes) },			\
+	{ MIBDECL(pfTblOutBlockPkts) },			\
+	{ MIBDECL(pfTblOutBlockBytes) },		\
+	{ MIBDECL(pfTblOutXPassPkts) },			\
+	{ MIBDECL(pfTblOutXPassBytes) },		\
+	{ MIBDECL(pfTblStatsCleared) },			\
+	{ MIBDECL(pfTblAddrTable) },			\
+	{ MIBDECL(pfTblAddrEntry) },			\
+	{ MIBDECL(pfTblAddrTblIndex) },			\
+	{ MIBDECL(pfTblAddrNet) },			\
+	{ MIBDECL(pfTblAddrMask) },			\
+	{ MIBDECL(pfTblAddrCleared) },			\
+	{ MIBDECL(pfTblAddrInBlockPkts) },		\
+	{ MIBDECL(pfTblAddrInBlockBytes) },		\
+	{ MIBDECL(pfTblAddrInPassPkts) },		\
+	{ MIBDECL(pfTblAddrInPassBytes) },		\
+	{ MIBDECL(pfTblAddrOutBlockPkts) },		\
+	{ MIBDECL(pfTblAddrOutBlockBytes) },		\
+	{ MIBDECL(pfTblAddrOutPassPkts) },		\
+	{ MIBDECL(pfTblAddrOutPassBytes) },		\
+	{ MIBDECL(pfLabels) },				\
+	{ MIBDECL(pfLabelNumber) },			\
+	{ MIBDECL(pfLabelTable) },			\
+	{ MIBDECL(pfLabelEntry) },			\
+	{ MIBDECL(pfLabelIndex) },			\
+	{ MIBDECL(pfLabelName) },			\
+	{ MIBDECL(pfLabelEvals) },			\
+	{ MIBDECL(pfLabelPkts) },			\
+	{ MIBDECL(pfLabelBytes) },			\
+	{ MIBDECL(pfLabelInPkts) },			\
+	{ MIBDECL(pfLabelInBytes) },			\
+	{ MIBDECL(pfLabelOutPkts) },			\
+	{ MIBDECL(pfLabelOutBytes) },			\
+	{ MIBDECL(pfLabelTotalStates) },		\
+	{ MIBDECL(pfsyncStats) },			\
+	{ MIBDECL(pfsyncIpPktsRecv) },			\
+	{ MIBDECL(pfsyncIp6PktsRecv) },			\
+	{ MIBDECL(pfsyncPktDiscardsForBadInterface) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadTtl) },	\
+	{ MIBDECL(pfsyncPktShorterThanHeader) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadVersion) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadAction) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadLength) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadAuth) },	\
+	{ MIBDECL(pfsyncPktDiscardsForStaleState) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadValues) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadState) },	\
+	{ MIBDECL(pfsyncIpPktsSent) },			\
+	{ MIBDECL(pfsyncIp6PktsSent) },			\
+	{ MIBDECL(pfsyncNoMemory) },			\
+	{ MIBDECL(pfsyncOutputErrors) },		\
 	{ MIBDECL(sensorsMIBObjects) },			\
 	{ MIBDECL(sensors) },				\
 	{ MIBDECL(sensorNumber) },			\
diff --git a/usr.sbin/snmpd/pf.c b/usr.sbin/snmpd/pf.c
new file mode 100644
index 00000000000..8194d64a475
--- /dev/null
+++ b/usr.sbin/snmpd/pf.c
@@ -0,0 +1,483 @@
+/*	$OpenBSD: pf.c,v 1.1 2012/02/23 03:54:38 joel Exp $	*/
+
+/*
+ * Copyright (c) 2012 Joel Knight <joel@openbsd.org>
+ * Copyright (c) 2002 Cedric Berger
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+
+#include <net/if.h>
+#include <net/pfvar.h>
+#include <arpa/inet.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <event.h>
+
+#include "snmpd.h"
+
+int	 devpf = 0;
+
+size_t 	 buf_esize[PFRB_MAX] = { 0,
+	sizeof(struct pfr_table), sizeof(struct pfr_tstats),
+	sizeof(struct pfr_addr), sizeof(struct pfr_astats),
+	sizeof(struct pfi_kif), sizeof(struct pfioc_trans_e)
+};
+
+int
+pf_init(void)
+{
+	if ((devpf = open("/dev/pf", O_RDONLY)) == -1)
+		return (1);
+
+	return (0);
+}
+
+int
+pf_get_stats(struct pf_status *s)
+{
+	extern int	 devpf;
+
+	memset(s, 0, sizeof(s));
+	if (ioctl(devpf, DIOCGETSTATUS, s)) {
+		log_warn("DIOCGETSTATUS");
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
+		int flags)
+{
+	struct pfioc_table	 io;
+	extern int		 devpf;
+
+	if (tbl == NULL || size == NULL || *size < 0 ||
+	    (*size && addr == NULL)) 
+		return (-1);
+
+	bzero(&io, sizeof io);
+	io.pfrio_flags = flags;
+	io.pfrio_table = *tbl;
+	io.pfrio_buffer = addr;
+	io.pfrio_esize = sizeof(*addr);
+	io.pfrio_size = *size;
+	if (ioctl(devpf, DIOCRGETASTATS, &io)) 
+		return (-1);
+	*size = io.pfrio_size;
+	return (0);
+}
+
+int
+pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
+	int flags)
+{
+	struct pfioc_table	 io;
+	extern int		 devpf;
+
+	if (size == NULL || *size < 0 || (*size && tbl == NULL))
+		return (-1);
+	bzero(&io, sizeof io);
+	io.pfrio_flags = flags;
+	if (filter != NULL)
+		io.pfrio_table = *filter;
+	io.pfrio_buffer = tbl;
+	io.pfrio_esize = sizeof(*tbl);
+	io.pfrio_size = *size;
+	if (ioctl(devpf, DIOCRGETTSTATS, &io))
+		return (-1);
+	*size = io.pfrio_size;
+	return (0);
+}
+
+int
+pfr_buf_grow(struct pfr_buffer *b, int minsize)
+{
+	caddr_t	 p;
+	size_t 	 bs;
+
+	if (minsize != 0 && minsize <= b->pfrb_msize)
+		return (0);
+	bs = buf_esize[b->pfrb_type];
+	if (!b->pfrb_msize) {
+		if (minsize < 64)
+			minsize = 64;
+		b->pfrb_caddr = calloc(bs, minsize);
+		if (b->pfrb_caddr == NULL)
+			return (-1);
+		b->pfrb_msize = minsize;
+	} else {
+		if (minsize == 0)
+			minsize = b->pfrb_msize * 2;
+		if (minsize < 0 || minsize >= SIZE_T_MAX / bs) {
+			/* msize overflow */
+			return (-1);
+		}
+		p = realloc(b->pfrb_caddr, minsize * bs);
+		if (p == NULL)
+			return (-1);
+		bzero(p + b->pfrb_msize * bs, (minsize - b->pfrb_msize) * bs);
+		b->pfrb_caddr = p;
+		b->pfrb_msize = minsize;
+	}
+	return (0);
+}
+
+void *
+pfr_buf_next(struct pfr_buffer *b, const void *prev)
+{
+	size_t	 bs;
+
+	if (b == NULL)
+		return (NULL);
+	if (b->pfrb_size == 0)
+		return (NULL);
+	if (prev == NULL) 
+		return (b->pfrb_caddr);
+	bs = buf_esize[b->pfrb_type];
+	if ((((caddr_t)prev)-((caddr_t)b->pfrb_caddr)) / bs >= b->pfrb_size-1)
+		return (NULL);
+
+	return (((caddr_t)prev) + bs);
+}
+
+int
+pfi_get_ifaces(const char *filter, struct pfi_kif *buf, int *size)
+{
+	struct pfioc_iface	 io;
+	extern int		 devpf;
+
+	if (size == NULL || *size < 0 || (*size && buf == NULL)) {
+		errno = EINVAL;
+		return (-1);
+	}
+	bzero(&io, sizeof io);
+	if (filter != NULL)
+		if (strlcpy(io.pfiio_name, filter, sizeof(io.pfiio_name)) >=
+		    sizeof(io.pfiio_name)) {
+			errno = EINVAL;
+			return (-1);
+		}
+	io.pfiio_buffer = buf;
+	io.pfiio_esize = sizeof(*buf);
+	io.pfiio_size = *size;
+	if (ioctl(devpf, DIOCIGETIFACES, &io))
+		return (-1);
+	*size = io.pfiio_size;
+	return (0);
+}
+
+int
+pfi_get(struct pfr_buffer *b, const char *filter)
+{
+	bzero(b, sizeof(struct pfr_buffer));
+	b->pfrb_type = PFRB_IFACES;
+	for (;;) {
+		pfr_buf_grow(b, b->pfrb_size);
+		b->pfrb_size = b->pfrb_msize;
+		if (pfi_get_ifaces(filter, b->pfrb_caddr, &(b->pfrb_size)))
+			return (1);
+		if (b->pfrb_size <= b->pfrb_msize)
+			break;
+	}
+
+	return (0);
+}
+
+int
+pfi_count(void)
+{
+	struct pfr_buffer 	 b;
+	struct pfi_kif 		*p;
+	int			 c = 0;
+
+	if (pfi_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(p, &b)
+		c++;
+
+	free(b.pfrb_caddr);
+	return (c);
+}
+
+int
+pfi_get_if(struct pfi_kif *rp, int idx)
+{
+	struct pfr_buffer	 b;
+	struct pfi_kif		*p;
+	int			 i = 1;
+
+	if (pfi_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(p, &b) {
+		if (i == idx)
+			break;
+		i++;
+	}
+
+	if (p == NULL) {
+		free(b.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(p, rp, sizeof(struct pfi_kif));
+	free(b.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pft_get(struct pfr_buffer *b, struct pfr_table *filter)
+{
+	bzero(b, sizeof(struct pfr_buffer));
+	b->pfrb_type = PFRB_TSTATS;
+	
+	for (;;) {
+		pfr_buf_grow(b, b->pfrb_size);
+		b->pfrb_size = b->pfrb_msize;
+		if (pfr_get_tstats(filter, b->pfrb_caddr, &(b->pfrb_size), 0))
+			return (1);
+		if (b->pfrb_size <= b->pfrb_msize)
+			break;
+	}
+
+	return (0);
+}
+
+int
+pft_get_table(struct pfr_tstats *rts, int idx)
+{
+	struct pfr_buffer	 b;
+	struct pfr_tstats	*ts;
+	int			 i = 1;
+
+	if (pft_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(ts, &b) {
+		if (!(ts->pfrts_flags & PFR_TFLAG_ACTIVE))
+			continue;
+		if (i == idx)
+			break;
+		i++;
+	}
+
+	if (ts == NULL) {
+		free(b.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(ts, rts, sizeof(struct pfr_tstats));
+	free(b.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pft_count(void)
+{
+	struct pfr_buffer	 b;
+	struct pfr_tstats	*ts;
+	int			 c = 0;
+
+	if (pft_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(ts, &b) {
+		if (!(ts->pfrts_flags & PFR_TFLAG_ACTIVE))
+			continue;
+		c++;
+	}
+
+	free(b.pfrb_caddr);
+	return (c);
+}
+
+int
+pfta_get(struct pfr_buffer *b, struct pfr_table *filter)
+{
+	bzero(b, sizeof(struct pfr_buffer));
+	b->pfrb_type = PFRB_ASTATS;
+
+	for (;;) {
+		pfr_buf_grow(b, b->pfrb_size);
+		b->pfrb_size = b->pfrb_msize;
+		if (pfr_get_astats(filter, b->pfrb_caddr, &(b->pfrb_size), 0)) {
+			return (1);
+		}
+		if (b->pfrb_size <= b->pfrb_msize)
+			break;
+	}
+	
+	return (0);
+}
+
+int
+pfta_get_addr(struct pfr_astats *ras, int tblidx)
+{
+	struct pfr_buffer	 ba;
+	struct pfr_tstats	 ts;
+	struct pfr_table	 filter;
+	struct pfr_astats	*as;
+
+	if (pft_get_table(&ts, tblidx))
+		return (-1);
+
+	bzero(&filter, sizeof(filter));
+	if (strlcpy(filter.pfrt_name, ts.pfrts_name,
+	    sizeof(filter.pfrt_name)) >= sizeof(filter.pfrt_name)) {
+		return (-1);
+	}
+
+	if (pfta_get(&ba, &filter) || ba.pfrb_size == 0) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	PFRB_FOREACH(as, &ba) {
+		if (as->pfras_a.pfra_af != AF_INET)
+			continue;
+		if ((memcmp(&as->pfras_a.pfra_ip4addr, &ras->pfras_a.pfra_ip4addr,
+		    sizeof(as->pfras_a.pfra_ip4addr)) == 0)
+		    && (as->pfras_a.pfra_net == ras->pfras_a.pfra_net))
+			break;
+	}
+
+	if (as == NULL) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(as, ras, sizeof(struct pfr_astats));
+	free(ba.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pfta_get_nextaddr(struct pfr_astats *ras, int *tblidx)
+{
+	struct pfr_buffer	 ba;
+	struct pfr_tstats	 ts;
+	struct pfr_table	 filter;
+	struct pfr_astats	*as;
+	int			 i, found = 0;
+
+	ba.pfrb_caddr = NULL;
+
+	for (i = *tblidx; !pft_get_table(&ts, i); i++) {
+		bzero(&filter, sizeof(filter));
+		if (strlcpy(filter.pfrt_name, ts.pfrts_name,
+		    sizeof(filter.pfrt_name)) >= sizeof(filter.pfrt_name))
+			goto fail;
+
+		if (pfta_get(&ba, &filter) || ba.pfrb_size == 0)
+			goto fail;
+
+		PFRB_FOREACH(as, &ba) {
+			if (found)
+				goto found;
+			if (as->pfras_a.pfra_af != AF_INET)
+				continue;
+			if ((memcmp(&as->pfras_a.pfra_ip4addr,
+			    &ras->pfras_a.pfra_ip4addr,
+			    sizeof(as->pfras_a.pfra_ip4addr)) == 0)
+			    && (as->pfras_a.pfra_net == ras->pfras_a.pfra_net))
+				found = 1;
+		}
+	}
+
+
+ fail:
+	free(ba.pfrb_caddr);
+
+	return (-1);
+
+ found:
+	bcopy(as, ras, sizeof(struct pfr_astats));
+	*tblidx = i;
+
+	free(ba.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pfta_get_first(struct pfr_astats *ras)
+{
+	struct pfr_buffer	 ba;
+	struct pfr_tstats	 ts;
+	struct pfr_table	 filter;
+	struct pfr_astats	*as;
+
+	if (pft_get_table(&ts, 1))
+		return (-1);
+
+	bzero(&filter, sizeof(filter));
+	if (strlcpy(filter.pfrt_name, ts.pfrts_name,
+	    sizeof(filter.pfrt_name)) >= sizeof(filter.pfrt_name)) {
+		return (-1);
+	}
+
+	if (pfta_get(&ba, &filter) || ba.pfrb_size == 0) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	/* take the first AF_INET addr */
+	PFRB_FOREACH(as, &ba) {
+		if (as->pfras_a.pfra_af != AF_INET)
+			continue;
+		break;
+	}
+
+	if (as == NULL) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(as, ras, sizeof(struct pfr_astats));
+	free(ba.pfrb_caddr);
+
+	return (0);
+}
+
diff --git a/usr.sbin/snmpd/snmpd.c b/usr.sbin/snmpd/snmpd.c
index 6a3bd9d6130..1c8d1c2897b 100644
--- a/usr.sbin/snmpd/snmpd.c
+++ b/usr.sbin/snmpd/snmpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpd.c,v 1.9 2009/06/06 05:52:01 pyr Exp $	*/
+/*	$OpenBSD: snmpd.c,v 1.10 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -174,6 +174,9 @@ main(int argc, char *argv[])
 
 	log_info("startup");
 
+	if (pf_init())
+		fatal("cannot open /dev/pf");
+
 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC,
 	    pipe_parent2snmpe) == -1)
 		fatal("socketpair");
diff --git a/usr.sbin/snmpd/snmpd.h b/usr.sbin/snmpd/snmpd.h
index e6c2a41d92a..ed0d1ddca7a 100644
--- a/usr.sbin/snmpd/snmpd.h
+++ b/usr.sbin/snmpd/snmpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpd.h,v 1.32 2012/02/01 18:44:06 camield Exp $	*/
+/*	$OpenBSD: snmpd.h,v 1.33 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -22,6 +22,7 @@
 
 #include <netinet/in.h>
 #include <netinet/if_ether.h>
+#include <net/pfvar.h>
 #include <net/route.h>
 
 #include <ber.h>
@@ -208,6 +209,31 @@ struct oid {
 #define MIBEND			{ { 0 } }, NULL
 
 /*
+ * pf
+ */
+
+enum {	PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
+	PFRB_IFACES, PFRB_TRANS, PFRB_MAX };
+
+enum {  IN, OUT };
+enum {  IPV4, IPV6 };
+enum {  PASS, BLOCK };
+
+enum {  PFI_IFTYPE_GROUP, PFI_IFTYPE_INSTANCE };
+
+struct pfr_buffer {
+	int	 pfrb_type;	/* type of content, see enum above */
+	int	 pfrb_size;	/* number of objects in buffer */
+	int	 pfrb_msize;	/* maximum number of objects in buffer */
+	void	*pfrb_caddr;	/* malloc'ated memory area */
+};
+
+#define PFRB_FOREACH(var, buf)				\
+	for ((var) = pfr_buf_next((buf), NULL);		\
+	    (var) != NULL;				\
+	    (var) = pfr_buf_next((buf), (var)))
+
+/*
  * daemon structures
  */
 
@@ -382,6 +408,27 @@ void		 mps_encodeinaddr(struct ber_oid *, struct in_addr *, int);
 void		 mps_decodeinaddr(struct ber_oid *, struct in_addr *, int);
 struct ber_oid	*mps_table(struct oid *, struct ber_oid *, struct ber_oid *);
 
+/* pf.c */
+int			 pf_init(void);
+int			 pf_get_stats(struct pf_status *);
+int			 pfr_get_astats(struct pfr_table *, struct pfr_astats *,
+			    int *, int);
+int			 pfr_get_tstats(struct pfr_table *, struct pfr_tstats *,
+			    int *, int);
+int			 pfr_buf_grow(struct pfr_buffer *, int);
+void			*pfr_buf_next(struct pfr_buffer *, const void *);
+int			 pfi_get_ifaces(const char *, struct pfi_kif *, int *);
+int	 		 pfi_get(struct pfr_buffer *, const char *);
+int	 	 	 pfi_count(void);
+int			 pfi_get_if(struct pfi_kif *, int);
+int			 pft_get(struct pfr_buffer *, struct pfr_table *);
+int			 pft_count(void);
+int		 	 pft_get_table(struct pfr_tstats *, int);
+int			 pfta_get(struct pfr_buffer *, struct pfr_table *);
+int			 pfta_get_addr(struct pfr_astats *, int);
+int			 pfta_get_nextaddr(struct pfr_astats *, int *);
+int			 pfta_get_first(struct pfr_astats *);
+
 /* smi.c */
 int		 smi_init(void);
 u_long		 smi_getticks(void);