Support for best effort bulk transfers of states when pfsync syncif is

configured.  This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.

ABI change, any application which use struct pf_state must be recompiled.

Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.

ok deraadt@

1 files changed, 16 insertions, 3 deletions

diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c
index 0e1bc0ad788..0640a09b2e7 100644
--- a/sys/netinet/ip_carp.c
+++ b/sys/netinet/ip_carp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_carp.c,v 1.39 2004/03/20 11:01:35 mcbride Exp $	*/
+/*	$OpenBSD: ip_carp.c,v 1.40 2004/03/22 04:54:18 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff. All rights reserved.
@@ -85,6 +85,11 @@
 #include <net/if_dl.h>
 #endif
 
+#include "pfsync.h"
+#if NPFSYNC > 0
+extern int pfsync_sync_ok;
+#endif
+
 #include "bpfilter.h"
 #if NBPFILTER > 0
 #include <net/bpf.h>
@@ -533,7 +538,11 @@ carp_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af)
 		 * If we're pre-empting masters who advertise slower than us,
 		 * and this one claims to be slower, treat him as down.
 		 */
-		if (carp_opts[CARPCTL_PREEMPT] && timercmp(&sc_tv, &ch_tv, <)) {
+		if (carp_opts[CARPCTL_PREEMPT]
+#if NPFSYNC > 0
+		    && pfsync_sync_ok
+#endif /* NPFSYNC > 0 */
+		    && timercmp(&sc_tv, &ch_tv, <)) {
 			carp_master_down(sc);
 			break;
 		}
@@ -1087,7 +1096,11 @@ carp_setrun(struct carp_softc *sc, sa_family_t af)
 
 	switch (sc->sc_state) {
 	case INIT:
-		if (carp_opts[CARPCTL_PREEMPT]) {
+		if (carp_opts[CARPCTL_PREEMPT]
+#if NPFSYNC > 0
+		    && pfsync_sync_ok
+#endif /* NPFSYNC > 0 */
+		    ) {
 			carp_send_ad(sc);
 			carp_send_arp(sc);
 #ifdef INET6