Add initial support for pf state synchronization over the network.

Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
  added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
  be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
  packets on pfsync no longer contains regular pf_state structs,
  but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

1 files changed, 8 insertions, 1 deletions

diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index f610ea7e898..b48c2a32f2c 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.72 2003/12/10 04:10:37 beck Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.73 2003/12/15 07:11:31 mcbride Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
@@ -856,6 +856,13 @@ pfctl_set_logif(struct pfctl *pf, char *ifname)
 }
 
 int
+pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
+{
+	fprintf(stderr, "set hostid not supported in authpf\n");
+	return (1);
+}
+
+int
 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
 {
 	fprintf(stderr, "set timeout not supported in authpf\n");