Bring in PF-MIB to snmpd.

ok krw@, sthen@

6 files changed, 1883 insertions, 6 deletions

diff --git a/usr.sbin/snmpd/Makefile b/usr.sbin/snmpd/Makefile
index e4a0fd7f69f..65291387f72 100644
--- a/usr.sbin/snmpd/Makefile
+++ b/usr.sbin/snmpd/Makefile
@@ -1,9 +1,10 @@
-#	$OpenBSD: Makefile,v 1.6 2010/05/26 16:44:33 nicm Exp $
+#	$OpenBSD: Makefile,v 1.7 2012/02/23 03:54:38 joel Exp $
 
 PROG=		snmpd
 MAN=		snmpd.8 snmpd.conf.5
 SRCS=		parse.y ber.c log.c control.c snmpe.c \
-		    mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c
+		    mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c \
+		    pf.c
 
 LDADD=		-levent -lutil
 DPADD=		${LIBEVENT} ${LIBUTIL}
diff --git a/usr.sbin/snmpd/mib.c b/usr.sbin/snmpd/mib.c
index 7ac40315e5f..ec04873b914 100644
--- a/usr.sbin/snmpd/mib.c
+++ b/usr.sbin/snmpd/mib.c
@@ -1,6 +1,7 @@
-/*	$OpenBSD: mib.c,v 1.49 2012/01/31 18:00:46 joel Exp $	*/
+/*	$OpenBSD: mib.c,v 1.50 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
+ * Copyright (c) 2012 Joel Knight <joel@openbsd.org>
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -33,6 +34,8 @@
 
 #include <net/if.h>
 #include <net/if_types.h>
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -46,6 +49,7 @@
 #include <event.h>
 #include <fcntl.h>
 #include <string.h>
+#include <time.h>
 #include <unistd.h>
 #include <pwd.h>
 
@@ -1214,6 +1218,7 @@ mib_ifrcvtable(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
 
 /*
  * Defined in 
+ * - OPENBSD-PF-MIB.txt
  * - OPENBSD-SENSORS-MIB.txt
  * - OPENBSD-CARP-MIB.txt
  * (http://www.packetmischief.ca/openbsd-snmp-mibs/)
@@ -1224,10 +1229,29 @@ struct carpif {
 	struct kif	 kif;
 };
 
+int	 mib_pfinfo(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfcounters(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfscounters(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pflogif(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfsrctrack(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pflimits(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftimeouts(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfifnum(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfiftable(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftablenum(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftables(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pftableaddrs(struct oid *, struct ber_oid *, struct ber_element **);
+struct ber_oid *
+	 mib_pftableaddrstable(struct oid *, struct ber_oid *, struct ber_oid *);
+int	 mib_pflabelnum(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pflabels(struct oid *, struct ber_oid *, struct ber_element **);
+int	 mib_pfsyncstats(struct oid *, struct ber_oid *, struct ber_element **);
+
 int	 mib_sensornum(struct oid *, struct ber_oid *, struct ber_element **);
 int	 mib_sensors(struct oid *, struct ber_oid *, struct ber_element **);
 const char *mib_sensorunit(struct sensor *);
 char	*mib_sensorvalue(struct sensor *);
+
 int	 mib_carpsysctl(struct oid *, struct ber_oid *, struct ber_element **);
 int	 mib_carpstats(struct oid *, struct ber_oid *, struct ber_element **);
 int	 mib_carpiftable(struct oid *, struct ber_oid *, struct ber_element **);
@@ -1237,6 +1261,165 @@ struct carpif
 int	 mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **);
 
 static struct oid openbsd_mib[] = {
+	{ MIB(pfMIBObjects),		OID_MIB },
+	{ MIB(pfRunning),		OID_RD, mib_pfinfo },
+	{ MIB(pfRuntime),		OID_RD, mib_pfinfo },
+	{ MIB(pfDebug),			OID_RD, mib_pfinfo },
+	{ MIB(pfHostid),		OID_RD, mib_pfinfo },
+	{ MIB(pfCntMatch),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntBadOffset),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntFragment),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntShort),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntNormalize),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntMemory),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntTimestamp),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntCongestion),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntIpOptions),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntProtoCksum),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntStateMismatch),	OID_RD, mib_pfcounters },
+	{ MIB(pfCntStateInsert),	OID_RD, mib_pfcounters },
+	{ MIB(pfCntStateLimit),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntSrcLimit),		OID_RD, mib_pfcounters },
+	{ MIB(pfCntSynproxy),		OID_RD, mib_pfcounters },
+	{ MIB(pfStateCount),		OID_RD, mib_pfscounters },
+	{ MIB(pfStateSearches),		OID_RD, mib_pfscounters },
+	{ MIB(pfStateInserts),		OID_RD, mib_pfscounters },
+	{ MIB(pfStateRemovals),		OID_RD, mib_pfscounters },
+	{ MIB(pfLogIfName),		OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpBytesIn),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpBytesOut),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsInPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsInDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsOutPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIpPktsOutDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6BytesIn),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6BytesOut),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsInPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsInDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsOutPass),	OID_RD, mib_pflogif },
+	{ MIB(pfLogIfIp6PktsOutDrop),	OID_RD, mib_pflogif },
+	{ MIB(pfSrcTrackCount),		OID_RD, mib_pfsrctrack },
+	{ MIB(pfSrcTrackSearches),	OID_RD, mib_pfsrctrack },
+	{ MIB(pfSrcTrackInserts),	OID_RD, mib_pfsrctrack },
+	{ MIB(pfSrcTrackRemovals),	OID_RD, mib_pfsrctrack },
+	{ MIB(pfLimitStates),		OID_RD, mib_pflimits },
+	{ MIB(pfLimitSourceNodes),	OID_RD, mib_pflimits },
+	{ MIB(pfLimitFragments),	OID_RD, mib_pflimits },
+	{ MIB(pfLimitMaxTables), 	OID_RD, mib_pflimits },
+	{ MIB(pfLimitMaxTableEntries),	OID_RD, mib_pflimits },
+	{ MIB(pfTimeoutTcpFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpOpening),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpEstablished),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpClosing),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpFinWait),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutTcpClosed),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutUdpFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutUdpSingle),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutUdpMultiple),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutIcmpFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutIcmpError),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutOtherFirst),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutOtherSingle),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutOtherMultiple),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutFragment),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutInterval),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutAdaptiveStart),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutAdaptiveEnd),	OID_RD, mib_pftimeouts },
+	{ MIB(pfTimeoutSrcTrack),	OID_RD, mib_pftimeouts },
+	{ MIB(pfIfNumber),		OID_RD, mib_pfifnum },
+	{ MIB(pfIfIndex),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfDescr),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfType),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfRefs),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfRules),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4PassPkts),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn4BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4PassPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut4BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6PassPkts),		OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfIn6BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6PassPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6PassBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6BlockPkts),	OID_TRD, mib_pfiftable },
+	{ MIB(pfIfOut6BlockBytes),	OID_TRD, mib_pfiftable },
+	{ MIB(pfTblNumber),		OID_RD, mib_pftablenum },
+	{ MIB(pfTblIndex),		OID_TRD, mib_pftables },
+	{ MIB(pfTblName),		OID_TRD, mib_pftables },
+	{ MIB(pfTblAddresses),		OID_TRD, mib_pftables },
+	{ MIB(pfTblAnchorRefs),		OID_TRD, mib_pftables },
+	{ MIB(pfTblRuleRefs),		OID_TRD, mib_pftables },
+	{ MIB(pfTblEvalsMatch),		OID_TRD, mib_pftables },
+	{ MIB(pfTblEvalsNoMatch),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInPassPkts),		OID_TRD, mib_pftables },
+	{ MIB(pfTblInPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInBlockPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInBlockBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInXPassPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblInXPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutPassPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutBlockPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutBlockBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutXPassPkts),	OID_TRD, mib_pftables },
+	{ MIB(pfTblOutXPassBytes),	OID_TRD, mib_pftables },
+	{ MIB(pfTblStatsCleared),	OID_TRD, mib_pftables },
+	{ MIB(pfTblAddrTblIndex),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrNet),		OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrMask),		OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrCleared),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInBlockPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInBlockBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInPassPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrInPassBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutBlockPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutBlockBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutPassPkts),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfTblAddrOutPassBytes),	OID_TRD, mib_pftableaddrs,
+	    NULL, mib_pftableaddrstable },
+	{ MIB(pfLabelNumber),		OID_RD, mib_pflabelnum },
+	{ MIB(pfLabelIndex),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelName),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelEvals),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelPkts),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelBytes),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelInPkts),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelInBytes),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelOutPkts),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelOutBytes),		OID_TRD, mib_pflabels },
+	{ MIB(pfLabelTotalStates),	OID_TRD, mib_pflabels },
+	{ MIB(pfsyncIpPktsRecv),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncIp6PktsRecv),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadInterface), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadTtl), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktShorterThanHeader), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadVersion), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadAction), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadLength), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadAuth), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForStaleState), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadValues), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncPktDiscardsForBadState), OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncIpPktsSent),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncIp6PktsSent),	OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncNoMemory),		OID_RD, mib_pfsyncstats },
+	{ MIB(pfsyncOutputErrors),	OID_RD, mib_pfsyncstats },
 	{ MIB(sensorsMIBObjects),	OID_MIB },
 	{ MIB(sensorNumber),		OID_RD,	mib_sensornum },
 	{ MIB(sensorIndex),		OID_TRD, mib_sensors },
@@ -1282,6 +1465,827 @@ static struct oid openbsd_mib[] = {
 };
 
 int
+mib_pfinfo(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	time_t			 runtime;
+	char			 str[11];
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_integer(*elm, s.running);
+		break;
+	case 2:
+		if (s.since > 0)
+			runtime = time(NULL) - s.since;
+		else
+			runtime = 0;
+		runtime *= 100;
+		*elm = ber_add_integer(*elm, runtime);
+		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
+		break;
+	case 3:
+		*elm = ber_add_integer(*elm, s.debug);
+		break;
+	case 4:
+		snprintf(str, sizeof(str), "0x%08x", ntohl(s.hostid));
+		*elm = ber_add_string(*elm, str);
+		break;
+	default:
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pfcounters(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 1, &s.counters[PFRES_MATCH] },
+		{ 2, &s.counters[PFRES_BADOFF] },
+		{ 3, &s.counters[PFRES_FRAG] },
+		{ 4, &s.counters[PFRES_SHORT] },
+		{ 5, &s.counters[PFRES_NORM] },
+		{ 6, &s.counters[PFRES_MEMORY] },
+		{ 7, &s.counters[PFRES_TS] },
+		{ 8, &s.counters[PFRES_CONGEST] },
+		{ 9, &s.counters[PFRES_IPOPTIONS] },
+		{ 10, &s.counters[PFRES_PROTCKSUM] },
+		{ 11, &s.counters[PFRES_BADSTATE] },
+		{ 12, &s.counters[PFRES_STATEINS] },
+		{ 13, &s.counters[PFRES_MAXSTATES] },
+		{ 14, &s.counters[PFRES_SRCLIMIT] },
+		{ 15, &s.counters[PFRES_SYNPROXY] }
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+			ber_set_header(*elm, BER_CLASS_APPLICATION,
+			    SNMP_T_COUNTER64);
+			return (0);
+		}	
+	}
+	return (-1);
+}
+
+int
+mib_pfscounters(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 2, &s.fcounters[FCNT_STATE_SEARCH] },
+		{ 3, &s.fcounters[FCNT_STATE_INSERT] },
+		{ 4, &s.fcounters[FCNT_STATE_REMOVALS] },
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_integer(*elm, s.states);
+		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	default:	
+		for (i = 0;
+		    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+			if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+				*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+				ber_set_header(*elm, BER_CLASS_APPLICATION,
+				    SNMP_T_COUNTER64);
+				return (0);
+			}	
+		}
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pflogif(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 2, &s.bcounters[IPV4][IN] },
+		{ 3, &s.bcounters[IPV4][OUT] },
+		{ 4, &s.pcounters[IPV4][IN][PF_PASS] },
+		{ 5, &s.pcounters[IPV4][IN][PF_DROP] },
+		{ 6, &s.pcounters[IPV4][OUT][PF_PASS] },
+		{ 7, &s.pcounters[IPV4][OUT][PF_DROP] },
+		{ 8, &s.bcounters[IPV6][IN] },
+		{ 9, &s.bcounters[IPV6][OUT] },
+		{ 10, &s.pcounters[IPV6][IN][PF_PASS] },
+		{ 11, &s.pcounters[IPV6][IN][PF_DROP] },
+		{ 12, &s.pcounters[IPV6][OUT][PF_PASS] },
+		{ 13, &s.pcounters[IPV6][OUT][PF_DROP] }
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_string(*elm, s.ifname);
+		break;
+	default:	
+		for (i = 0;
+		    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+			if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+				*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+				ber_set_header(*elm, BER_CLASS_APPLICATION,
+				    SNMP_T_COUNTER64);
+				return (0);
+			}	
+		}
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pfsrctrack(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pf_status	 s;
+	int			 i;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 2, &s.scounters[SCNT_SRC_NODE_SEARCH] },
+		{ 3, &s.scounters[SCNT_SRC_NODE_INSERT] },
+		{ 4, &s.scounters[SCNT_SRC_NODE_REMOVALS] }
+	};
+
+	if (pf_get_stats(&s))
+		return (-1);
+
+	switch (oid->o_oid[OIDIDX_pfstatus]) {
+	case 1:
+		*elm = ber_add_integer(*elm, s.src_nodes);
+		ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	default:	
+		for (i = 0;
+		    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+			if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+				*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+				ber_set_header(*elm, BER_CLASS_APPLICATION,
+				    SNMP_T_COUNTER64);
+				return (0);
+			}	
+		}
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+mib_pflimits(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pfioc_limit	 pl;
+	int			 i;
+	extern int		 devpf;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int8_t	 m_limit;
+	}			 mapping[] = {
+		{ 1, PF_LIMIT_STATES },
+		{ 2, PF_LIMIT_SRC_NODES },
+		{ 3, PF_LIMIT_FRAGS },
+		{ 4, PF_LIMIT_TABLES },
+		{ 5, PF_LIMIT_TABLE_ENTRIES }
+	};
+
+	memset(&pl, 0, sizeof(pl));
+	pl.index = PF_LIMIT_MAX;
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			pl.index = mapping[i].m_limit;
+			break;
+		}	
+	}
+
+	if (pl.index == PF_LIMIT_MAX)
+		return (-1);
+
+	if (ioctl(devpf, DIOCGETLIMIT, &pl)) {
+		log_warn("DIOCGETLIMIT");
+		return (-1);
+	}
+
+	*elm = ber_add_integer(*elm, pl.limit);
+	ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+
+	return (0);
+}
+
+int
+mib_pftimeouts(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pfioc_tm		 pt;
+	int			 i;
+	extern int		 devpf;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int8_t	 m_tm;
+	}			 mapping[] = {
+		{ 1, PFTM_TCP_FIRST_PACKET },
+		{ 2, PFTM_TCP_OPENING },
+		{ 3, PFTM_TCP_ESTABLISHED },
+		{ 4, PFTM_TCP_CLOSING },
+		{ 5, PFTM_TCP_FIN_WAIT },
+		{ 6, PFTM_TCP_CLOSED },
+		{ 7, PFTM_UDP_FIRST_PACKET },
+		{ 8, PFTM_UDP_SINGLE },
+		{ 9, PFTM_UDP_MULTIPLE },
+		{ 10, PFTM_ICMP_FIRST_PACKET },
+		{ 11, PFTM_ICMP_ERROR_REPLY },
+		{ 12, PFTM_OTHER_FIRST_PACKET },
+		{ 13, PFTM_OTHER_SINGLE },
+		{ 14, PFTM_OTHER_MULTIPLE },
+		{ 15, PFTM_FRAG },
+		{ 16, PFTM_INTERVAL },
+		{ 17, PFTM_ADAPTIVE_START },
+		{ 18, PFTM_ADAPTIVE_END },
+		{ 19, PFTM_SRC_NODE }
+	};
+
+	memset(&pt, 0, sizeof(pt));
+	pt.timeout = PFTM_MAX;
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			pt.timeout = mapping[i].m_tm;
+			break;
+		}	
+	}
+
+	if (pt.timeout == PFTM_MAX)
+		return (-1);
+
+	if (ioctl(devpf, DIOCGETTIMEOUT, &pt)) {
+		log_warn("DIOCGETTIMEOUT");
+		return (-1);
+	}
+
+	*elm = ber_add_integer(*elm, pt.seconds);
+
+	return (0);
+}
+
+int
+mib_pfifnum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	int	 c;
+
+	if ((c = pfi_count()) == -1)
+		return (-1);
+
+	*elm = ber_add_integer(*elm, c);
+
+	return (0);
+}
+
+int
+mib_pfiftable(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfi_kif		 pif;
+	int			 idx, iftype;
+
+	/* Get and verify the current row index */
+	idx = o->bo_id[OIDIDX_pfIfEntry];
+
+	if (pfi_get_if(&pif, idx))
+		return (1);
+
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfInterface]) {
+	case 1:
+		ber = ber_add_integer(ber, idx);
+		break;
+	case 2:
+		ber = ber_add_string(ber, pif.pfik_name);
+		break;
+	case 3:
+		iftype = (pif.pfik_ifp == NULL ? PFI_IFTYPE_GROUP
+		    : PFI_IFTYPE_INSTANCE);
+		ber = ber_add_integer(ber, iftype);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, pif.pfik_states);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, pif.pfik_rules);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_UNSIGNED32);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 11:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 12:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV4][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 13:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV4][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 14:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 15:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][IN][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 16:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 17:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][IN][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 18:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 19:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][OUT][PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 20:
+		ber = ber_add_integer(ber, pif.pfik_packets[IPV6][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 21:
+		ber = ber_add_integer(ber, pif.pfik_bytes[IPV6][OUT][BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	default:
+		return (1);
+	}
+	
+	return (0);
+}
+
+int
+mib_pftablenum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	int	 c;
+
+	if ((c = pft_count()) == -1)
+		return (-1);
+
+	*elm = ber_add_integer(*elm, c);
+
+	return (0);
+}
+
+int
+mib_pftables(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfr_tstats	 ts;
+	time_t			 tzero;
+	int			 idx;
+
+	/* Get and verify the current row index */
+	idx = o->bo_id[OIDIDX_pfTableEntry];
+
+	if (pft_get_table(&ts, idx))
+		return (1);
+
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfTable]) {
+	case 1:
+		ber = ber_add_integer(ber, idx);
+		break;
+	case 2:
+		ber = ber_add_string(ber, ts.pfrts_name);
+		break;
+	case 3:
+		ber = ber_add_integer(ber, ts.pfrts_cnt);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, ts.pfrts_refcnt[PFR_REFCNT_ANCHOR]);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, ts.pfrts_refcnt[PFR_REFCNT_RULE]);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, ts.pfrts_match);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, ts.pfrts_nomatch);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, ts.pfrts_packets[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, ts.pfrts_packets[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 11:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 12:
+		ber = ber_add_integer(ber, ts.pfrts_packets[IN][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 13:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[IN][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 14:
+		ber = ber_add_integer(ber, ts.pfrts_packets[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 15:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 16:
+		ber = ber_add_integer(ber, ts.pfrts_packets[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 17:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 18:
+		ber = ber_add_integer(ber, ts.pfrts_packets[OUT][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 19:
+		ber = ber_add_integer(ber, ts.pfrts_bytes[OUT][PFR_OP_XPASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 20:
+		tzero = (time(NULL) - ts.pfrts_tzero) * 100;
+		ber = ber_add_integer(ber, tzero);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
+		break;
+	default:
+		return (1);
+	}
+
+	return (0);
+}
+
+int
+mib_pftableaddrs(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfr_astats	 as;
+	int			 tblidx;
+
+	tblidx = o->bo_id[OIDIDX_pfTblAddr + 1];
+	mps_decodeinaddr(o, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
+	as.pfras_a.pfra_net = o->bo_id[OIDIDX_pfTblAddr + 6];
+
+	if (pfta_get_addr(&as, tblidx))
+		return (-1);
+
+	/* write OID */
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfTblAddr]) {
+	case 1:
+		ber = ber_add_integer(ber, tblidx);
+		break;
+	case 2:
+		ber = ber_add_nstring(ber, (char *)&as.pfras_a.pfra_ip4addr,
+		    sizeof(u_int32_t));
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR);
+		break;
+	case 3:
+		ber = ber_add_integer(ber, as.pfras_a.pfra_net);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, (time(NULL) - as.pfras_tzero) * 100);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, as.pfras_packets[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, as.pfras_bytes[IN][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, as.pfras_packets[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, as.pfras_bytes[IN][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, as.pfras_packets[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, as.pfras_bytes[OUT][PFR_OP_BLOCK]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 11:
+		ber = ber_add_integer(ber, as.pfras_packets[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 12:
+		ber = ber_add_integer(ber, as.pfras_bytes[OUT][PFR_OP_PASS]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	default:
+		return (-1);
+	}
+
+	return (0);
+}
+
+struct ber_oid *
+mib_pftableaddrstable(struct oid *oid, struct ber_oid *o, struct ber_oid *no)
+{
+	struct pfr_astats	 as;
+	struct oid		 a, b;
+	u_int32_t		 id, tblidx;
+
+	bcopy(&oid->o_id, no, sizeof(*no));
+	id = oid->o_oidlen - 1;
+
+	if (o->bo_n >= oid->o_oidlen) {
+		/*
+		 * Compare the requested and the matched OID to see
+		 * if we have to iterate to the next element.
+		 */
+		bzero(&a, sizeof(a));
+		bcopy(o, &a.o_id, sizeof(struct ber_oid));
+		bzero(&b, sizeof(b));
+		bcopy(&oid->o_id, &b.o_id, sizeof(struct ber_oid));
+		b.o_oidlen--;
+		b.o_flags |= OID_TABLE;
+		if (smi_oid_cmp(&a, &b) == 0) {
+			o->bo_id[id] = oid->o_oid[id];
+			bcopy(o, no, sizeof(*no));
+		}
+	}
+
+	tblidx = no->bo_id[OIDIDX_pfTblAddr + 1];
+	mps_decodeinaddr(no, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
+	as.pfras_a.pfra_net = no->bo_id[OIDIDX_pfTblAddr + 6];
+	
+	if (tblidx == 0) {
+		if (pfta_get_first(&as))
+			return (NULL);
+		tblidx = 1;
+	} else {
+		if (pfta_get_nextaddr(&as, &tblidx)) {
+			/* We reached the last addr in the last table.
+			 * When the next OIDIDX_pfTblAddr'th OID is requested,
+			 * get the first table address again.
+			 */
+			o->bo_id[OIDIDX_pfTblAddr + 1] = 0;
+			smi_oidlen(o);
+			return (NULL);
+		}
+	}
+
+	no->bo_id[OIDIDX_pfTblAddr + 1] = tblidx;
+	mps_encodeinaddr(no, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
+	no->bo_id[OIDIDX_pfTblAddr + 6] = as.pfras_a.pfra_net;
+	no->bo_n += 1;
+
+	smi_oidlen(o);
+
+	return (no);
+}
+
+int
+mib_pflabelnum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct pfioc_rule	 pr;
+	u_int32_t		 nr, mnr, lnr;
+	extern int		 devpf;
+
+	memset(&pr, 0, sizeof(pr));
+	if (ioctl(devpf, DIOCGETRULES, &pr)) {
+		log_warn("DIOCGETRULES");
+		return (-1);
+	}
+
+	mnr = pr.nr;
+	lnr = 0;
+	for (nr = 0; nr < mnr; ++nr) {
+		pr.nr = nr;
+		if (ioctl(devpf, DIOCGETRULE, &pr)) {
+			log_warn("DIOCGETRULE");
+			return (-1);
+		}
+
+		if (pr.rule.label[0])
+			lnr++;
+	}
+
+	*elm = ber_add_integer(*elm, lnr);
+
+	return (0);
+}
+
+int
+mib_pflabels(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	struct ber_element	*ber = *elm;
+	struct pfioc_rule	 pr;
+	struct pf_rule		*r = NULL;
+	u_int32_t		 nr, mnr, lnr;
+	u_int32_t		 idx;
+	extern int		 devpf;
+
+	/* Get and verify the current row index */
+	idx = o->bo_id[OIDIDX_pfLabelEntry];
+
+	memset(&pr, 0, sizeof(pr));
+	if (ioctl(devpf, DIOCGETRULES, &pr)) {
+		log_warn("DIOCGETRULES");
+		return (-1);
+	}
+
+	mnr = pr.nr;
+	lnr = 0;
+	for (nr = 0; nr < mnr; ++nr) {
+		pr.nr = nr;
+		if (ioctl(devpf, DIOCGETRULE, &pr)) {
+			log_warn("DIOCGETRULE");
+			return (-1);
+		}
+
+		if (pr.rule.label[0] && ++lnr == idx) {
+			r = &pr.rule;
+			break;
+		}
+	}
+
+	if (r == NULL)
+		return (1);
+
+	ber = ber_add_oid(ber, o);
+
+	switch (o->bo_id[OIDIDX_pfLabel]) {
+	case 1:
+		ber = ber_add_integer(ber, lnr);
+		break;
+	case 2:
+		ber = ber_add_string(ber, r->label);
+		break;
+	case 3:
+		ber = ber_add_integer(ber, r->evaluations);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 4:
+		ber = ber_add_integer(ber, r->packets[IN] + r->packets[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 5:
+		ber = ber_add_integer(ber, r->bytes[IN] + r->bytes[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 6:
+		ber = ber_add_integer(ber, r->packets[IN]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 7:
+		ber = ber_add_integer(ber, r->bytes[IN]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 8:
+		ber = ber_add_integer(ber, r->packets[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 9:
+		ber = ber_add_integer(ber, r->bytes[OUT]);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+		break;
+	case 10:
+		ber = ber_add_integer(ber, r->states_tot);
+		ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER32);
+		break;
+	default:
+		return (1);
+	}
+
+	return (0);
+}
+
+int
+mib_pfsyncstats(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
+{
+	int			 i;
+	int 			 mib[] = { CTL_NET, AF_INET, IPPROTO_PFSYNC, 
+				    PFSYNCCTL_STATS };
+	size_t			 len = sizeof(struct pfsyncstats);
+	struct pfsyncstats 	 s;
+	struct statsmap {
+		u_int8_t	 m_id;
+		u_int64_t	*m_ptr;
+	}			 mapping[] = {
+		{ 1, &s.pfsyncs_ipackets },
+		{ 2, &s.pfsyncs_ipackets6 },
+		{ 3, &s.pfsyncs_badif },
+		{ 4, &s.pfsyncs_badttl },
+		{ 5, &s.pfsyncs_hdrops },
+		{ 6, &s.pfsyncs_badver },
+		{ 7, &s.pfsyncs_badact },
+		{ 8, &s.pfsyncs_badlen },
+		{ 9, &s.pfsyncs_badauth },
+		{ 10, &s.pfsyncs_stale },
+		{ 11, &s.pfsyncs_badval },
+		{ 12, &s.pfsyncs_badstate },
+		{ 13, &s.pfsyncs_opackets },
+		{ 14, &s.pfsyncs_opackets6 },
+		{ 15, &s.pfsyncs_onomem },
+		{ 16, &s.pfsyncs_oerrors }
+	};
+	
+	if (sysctl(mib, 4, &s, &len, NULL, 0) == -1) {
+		log_warn("sysctl");
+		return (-1);
+	}
+
+	for (i = 0;
+	    (u_int)i < (sizeof(mapping) / sizeof(mapping[0])); i++) {
+		if (oid->o_oid[OIDIDX_pfstatus] == mapping[i].m_id) {
+			*elm = ber_add_integer(*elm, *mapping[i].m_ptr);
+			ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+			return (0);
+		}	
+	}
+
+	return (-1);
+}
+
+int
 mib_sensornum(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
 {
 	struct sensordev	 sensordev;
diff --git a/usr.sbin/snmpd/mib.h b/usr.sbin/snmpd/mib.h
index 2b8f9d461f8..b9b83dfe096 100644
--- a/usr.sbin/snmpd/mib.h
+++ b/usr.sbin/snmpd/mib.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mib.h,v 1.23 2012/01/31 18:17:19 joel Exp $	*/
+/*	$OpenBSD: mib.h,v 1.24 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -398,6 +398,179 @@
 
 /* OPENBSD-MIB */
 #define MIB_pfMIBObjects		MIB_openBSD, 1
+#define MIB_pfInfo			MIB_pfMIBObjects, 1
+#define MIB_pfRunning			MIB_pfInfo, 1
+#define MIB_pfRuntime			MIB_pfInfo, 2
+#define MIB_pfDebug			MIB_pfInfo, 3
+#define MIB_pfHostid			MIB_pfInfo, 4
+#define MIB_pfCounters			MIB_pfMIBObjects, 2
+#define MIB_pfCntMatch			MIB_pfCounters, 1
+#define MIB_pfCntBadOffset		MIB_pfCounters, 2
+#define MIB_pfCntFragment		MIB_pfCounters, 3
+#define MIB_pfCntShort			MIB_pfCounters, 4
+#define MIB_pfCntNormalize		MIB_pfCounters, 5
+#define MIB_pfCntMemory			MIB_pfCounters, 6
+#define MIB_pfCntTimestamp		MIB_pfCounters, 7
+#define MIB_pfCntCongestion		MIB_pfCounters, 8
+#define MIB_pfCntIpOptions		MIB_pfCounters, 9
+#define MIB_pfCntProtoCksum		MIB_pfCounters, 10
+#define MIB_pfCntStateMismatch		MIB_pfCounters, 11
+#define MIB_pfCntStateInsert		MIB_pfCounters, 12
+#define MIB_pfCntStateLimit		MIB_pfCounters, 13
+#define MIB_pfCntSrcLimit		MIB_pfCounters, 14
+#define MIB_pfCntSynproxy		MIB_pfCounters, 15
+#define MIB_pfStateTable		MIB_pfMIBObjects, 3
+#define MIB_pfStateCount		MIB_pfStateTable, 1
+#define MIB_pfStateSearches		MIB_pfStateTable, 2
+#define MIB_pfStateInserts		MIB_pfStateTable, 3
+#define MIB_pfStateRemovals		MIB_pfStateTable, 4
+#define MIB_pfLogInterface		MIB_pfMIBObjects, 4
+#define MIB_pfLogIfName			MIB_pfLogInterface, 1
+#define MIB_pfLogIfIpBytesIn		MIB_pfLogInterface, 2
+#define MIB_pfLogIfIpBytesOut		MIB_pfLogInterface, 3
+#define MIB_pfLogIfIpPktsInPass		MIB_pfLogInterface, 4
+#define MIB_pfLogIfIpPktsInDrop		MIB_pfLogInterface, 5
+#define MIB_pfLogIfIpPktsOutPass	MIB_pfLogInterface, 6
+#define MIB_pfLogIfIpPktsOutDrop	MIB_pfLogInterface, 7
+#define MIB_pfLogIfIp6BytesIn		MIB_pfLogInterface, 8
+#define MIB_pfLogIfIp6BytesOut		MIB_pfLogInterface, 9
+#define MIB_pfLogIfIp6PktsInPass	MIB_pfLogInterface, 10
+#define MIB_pfLogIfIp6PktsInDrop	MIB_pfLogInterface, 11
+#define MIB_pfLogIfIp6PktsOutPass	MIB_pfLogInterface, 12
+#define MIB_pfLogIfIp6PktsOutDrop	MIB_pfLogInterface, 13
+#define MIB_pfSrcTracking		MIB_pfMIBObjects, 5
+#define MIB_pfSrcTrackCount		MIB_pfSrcTracking, 1
+#define MIB_pfSrcTrackSearches		MIB_pfSrcTracking, 2
+#define MIB_pfSrcTrackInserts		MIB_pfSrcTracking, 3
+#define MIB_pfSrcTrackRemovals		MIB_pfSrcTracking, 4
+#define MIB_pfLimits			MIB_pfMIBObjects, 6
+#define MIB_pfLimitStates		MIB_pfLimits, 1
+#define MIB_pfLimitSourceNodes		MIB_pfLimits, 2
+#define MIB_pfLimitFragments		MIB_pfLimits, 3
+#define MIB_pfLimitMaxTables		MIB_pfLimits, 4
+#define MIB_pfLimitMaxTableEntries	MIB_pfLimits, 5
+#define MIB_pfTimeouts			MIB_pfMIBObjects, 7
+#define MIB_pfTimeoutTcpFirst		MIB_pfTimeouts, 1
+#define MIB_pfTimeoutTcpOpening		MIB_pfTimeouts, 2
+#define MIB_pfTimeoutTcpEstablished	MIB_pfTimeouts, 3
+#define MIB_pfTimeoutTcpClosing		MIB_pfTimeouts, 4
+#define MIB_pfTimeoutTcpFinWait		MIB_pfTimeouts, 5
+#define MIB_pfTimeoutTcpClosed		MIB_pfTimeouts, 6
+#define MIB_pfTimeoutUdpFirst		MIB_pfTimeouts, 7
+#define MIB_pfTimeoutUdpSingle		MIB_pfTimeouts, 8
+#define MIB_pfTimeoutUdpMultiple	MIB_pfTimeouts, 9
+#define MIB_pfTimeoutIcmpFirst		MIB_pfTimeouts, 10
+#define MIB_pfTimeoutIcmpError		MIB_pfTimeouts, 11
+#define MIB_pfTimeoutOtherFirst		MIB_pfTimeouts, 12
+#define MIB_pfTimeoutOtherSingle	MIB_pfTimeouts, 13
+#define MIB_pfTimeoutOtherMultiple	MIB_pfTimeouts, 14
+#define MIB_pfTimeoutFragment		MIB_pfTimeouts, 15
+#define MIB_pfTimeoutInterval		MIB_pfTimeouts, 16
+#define MIB_pfTimeoutAdaptiveStart	MIB_pfTimeouts, 17
+#define MIB_pfTimeoutAdaptiveEnd	MIB_pfTimeouts, 18
+#define MIB_pfTimeoutSrcTrack		MIB_pfTimeouts, 19
+#define OIDIDX_pfstatus			9
+#define MIB_pfInterfaces		MIB_pfMIBObjects, 8
+#define MIB_pfIfNumber			MIB_pfInterfaces, 1
+#define MIB_pfIfTable			MIB_pfInterfaces, 128
+#define MIB_pfIfEntry			MIB_pfIfTable, 1
+#define OIDIDX_pfInterface		11
+#define OIDIDX_pfIfEntry		12
+#define MIB_pfIfIndex			MIB_pfIfEntry, 1
+#define MIB_pfIfDescr			MIB_pfIfEntry, 2
+#define MIB_pfIfType			MIB_pfIfEntry, 3
+#define MIB_pfIfRefs			MIB_pfIfEntry, 4
+#define MIB_pfIfRules			MIB_pfIfEntry, 5
+#define MIB_pfIfIn4PassPkts		MIB_pfIfEntry, 6
+#define MIB_pfIfIn4PassBytes		MIB_pfIfEntry, 7
+#define MIB_pfIfIn4BlockPkts		MIB_pfIfEntry, 8
+#define MIB_pfIfIn4BlockBytes		MIB_pfIfEntry, 9
+#define MIB_pfIfOut4PassPkts		MIB_pfIfEntry, 10
+#define MIB_pfIfOut4PassBytes		MIB_pfIfEntry, 11
+#define MIB_pfIfOut4BlockPkts		MIB_pfIfEntry, 12
+#define MIB_pfIfOut4BlockBytes		MIB_pfIfEntry, 13
+#define MIB_pfIfIn6PassPkts		MIB_pfIfEntry, 14
+#define MIB_pfIfIn6PassBytes		MIB_pfIfEntry, 15
+#define MIB_pfIfIn6BlockPkts		MIB_pfIfEntry, 16
+#define MIB_pfIfIn6BlockBytes		MIB_pfIfEntry, 17
+#define MIB_pfIfOut6PassPkts		MIB_pfIfEntry, 18
+#define MIB_pfIfOut6PassBytes		MIB_pfIfEntry, 19
+#define MIB_pfIfOut6BlockPkts		MIB_pfIfEntry, 20
+#define MIB_pfIfOut6BlockBytes		MIB_pfIfEntry, 21
+#define MIB_pfTables			MIB_pfMIBObjects, 9
+#define MIB_pfTblNumber			MIB_pfTables, 1
+#define MIB_pfTblTable			MIB_pfTables, 128
+#define MIB_pfTblEntry			MIB_pfTblTable, 1
+#define OIDIDX_pfTable			11
+#define OIDIDX_pfTableEntry		12
+#define MIB_pfTblIndex			MIB_pfTblEntry, 1
+#define MIB_pfTblName			MIB_pfTblEntry, 2
+#define MIB_pfTblAddresses		MIB_pfTblEntry, 3
+#define MIB_pfTblAnchorRefs		MIB_pfTblEntry, 4
+#define MIB_pfTblRuleRefs		MIB_pfTblEntry, 5
+#define MIB_pfTblEvalsMatch		MIB_pfTblEntry, 6
+#define MIB_pfTblEvalsNoMatch		MIB_pfTblEntry, 7
+#define MIB_pfTblInPassPkts		MIB_pfTblEntry, 8
+#define MIB_pfTblInPassBytes		MIB_pfTblEntry, 9
+#define MIB_pfTblInBlockPkts		MIB_pfTblEntry, 10
+#define MIB_pfTblInBlockBytes		MIB_pfTblEntry, 11
+#define MIB_pfTblInXPassPkts		MIB_pfTblEntry, 12
+#define MIB_pfTblInXPassBytes		MIB_pfTblEntry, 13
+#define MIB_pfTblOutPassPkts		MIB_pfTblEntry, 14
+#define MIB_pfTblOutPassBytes		MIB_pfTblEntry, 15
+#define MIB_pfTblOutBlockPkts		MIB_pfTblEntry, 16
+#define MIB_pfTblOutBlockBytes		MIB_pfTblEntry, 17
+#define MIB_pfTblOutXPassPkts		MIB_pfTblEntry, 18
+#define MIB_pfTblOutXPassBytes		MIB_pfTblEntry, 19
+#define MIB_pfTblStatsCleared		MIB_pfTblEntry, 20
+#define MIB_pfTblAddrTable		MIB_pfTables, 129
+#define MIB_pfTblAddrEntry		MIB_pfTblAddrTable, 1
+#define OIDIDX_pfTblAddr		11
+#define MIB_pfTblAddrTblIndex		MIB_pfTblAddrEntry, 1
+#define MIB_pfTblAddrNet		MIB_pfTblAddrEntry, 2
+#define MIB_pfTblAddrMask		MIB_pfTblAddrEntry, 3
+#define MIB_pfTblAddrCleared		MIB_pfTblAddrEntry, 4
+#define MIB_pfTblAddrInBlockPkts	MIB_pfTblAddrEntry, 5
+#define MIB_pfTblAddrInBlockBytes	MIB_pfTblAddrEntry, 6
+#define MIB_pfTblAddrInPassPkts		MIB_pfTblAddrEntry, 7
+#define MIB_pfTblAddrInPassBytes	MIB_pfTblAddrEntry, 8
+#define MIB_pfTblAddrOutBlockPkts	MIB_pfTblAddrEntry, 9
+#define MIB_pfTblAddrOutBlockBytes	MIB_pfTblAddrEntry, 10
+#define MIB_pfTblAddrOutPassPkts	MIB_pfTblAddrEntry, 11
+#define MIB_pfTblAddrOutPassBytes	MIB_pfTblAddrEntry, 12
+#define MIB_pfLabels			MIB_pfMIBObjects, 10
+#define MIB_pfLabelNumber		MIB_pfLabels, 1
+#define MIB_pfLabelTable		MIB_pfLabels, 128
+#define OIDIDX_pfLabel			11
+#define OIDIDX_pfLabelEntry		12
+#define MIB_pfLabelEntry		MIB_pfLabelTable, 1
+#define MIB_pfLabelIndex		MIB_pfLabelEntry, 1
+#define MIB_pfLabelName			MIB_pfLabelEntry, 2
+#define MIB_pfLabelEvals		MIB_pfLabelEntry, 3
+#define MIB_pfLabelPkts			MIB_pfLabelEntry, 4
+#define MIB_pfLabelBytes		MIB_pfLabelEntry, 5
+#define MIB_pfLabelInPkts		MIB_pfLabelEntry, 6
+#define MIB_pfLabelInBytes		MIB_pfLabelEntry, 7
+#define MIB_pfLabelOutPkts		MIB_pfLabelEntry, 8
+#define MIB_pfLabelOutBytes		MIB_pfLabelEntry, 9
+#define MIB_pfLabelTotalStates		MIB_pfLabelEntry, 10
+#define MIB_pfsyncStats			MIB_pfMIBObjects, 11
+#define MIB_pfsyncIpPktsRecv		MIB_pfsyncStats, 1
+#define MIB_pfsyncIp6PktsRecv		MIB_pfsyncStats, 2
+#define MIB_pfsyncPktDiscardsForBadInterface	MIB_pfsyncStats, 3
+#define MIB_pfsyncPktDiscardsForBadTtl		MIB_pfsyncStats, 4
+#define MIB_pfsyncPktShorterThanHeader		MIB_pfsyncStats, 5
+#define MIB_pfsyncPktDiscardsForBadVersion	MIB_pfsyncStats, 6
+#define MIB_pfsyncPktDiscardsForBadAction	MIB_pfsyncStats, 7
+#define MIB_pfsyncPktDiscardsForBadLength	MIB_pfsyncStats, 8
+#define MIB_pfsyncPktDiscardsForBadAuth		MIB_pfsyncStats, 9
+#define MIB_pfsyncPktDiscardsForStaleState	MIB_pfsyncStats, 10
+#define MIB_pfsyncPktDiscardsForBadValues	MIB_pfsyncStats, 11
+#define MIB_pfsyncPktDiscardsForBadState	MIB_pfsyncStats, 12
+#define MIB_pfsyncIpPktsSent		MIB_pfsyncStats, 13
+#define MIB_pfsyncIp6PktsSent		MIB_pfsyncStats, 14
+#define MIB_pfsyncNoMemory		MIB_pfsyncStats, 15
+#define MIB_pfsyncOutputErrors		MIB_pfsyncStats, 16
 #define MIB_sensorsMIBObjects		MIB_openBSD, 2
 #define MIB_sensors			MIB_sensorsMIBObjects, 1
 #define MIB_sensorNumber		MIB_sensors, 1
@@ -719,6 +892,172 @@
 	{ MIBDECL(vantronix) },				\
 	{ MIBDECL(openBSD) },				\
 							\
+	{ MIBDECL(pfMIBObjects) },			\
+	{ MIBDECL(pfInfo) },				\
+	{ MIBDECL(pfRunning) },				\
+	{ MIBDECL(pfRuntime) },				\
+	{ MIBDECL(pfDebug) },				\
+	{ MIBDECL(pfHostid) },				\
+	{ MIBDECL(pfCounters) },			\
+	{ MIBDECL(pfCntMatch) },			\
+	{ MIBDECL(pfCntBadOffset) },			\
+	{ MIBDECL(pfCntFragment) },			\
+	{ MIBDECL(pfCntShort) },			\
+	{ MIBDECL(pfCntNormalize) },			\
+	{ MIBDECL(pfCntMemory) },			\
+	{ MIBDECL(pfCntTimestamp) },			\
+	{ MIBDECL(pfCntCongestion) },			\
+	{ MIBDECL(pfCntIpOptions) },			\
+	{ MIBDECL(pfCntProtoCksum) },			\
+	{ MIBDECL(pfCntStateMismatch) },		\
+	{ MIBDECL(pfCntStateInsert) },			\
+	{ MIBDECL(pfCntStateLimit) },			\
+	{ MIBDECL(pfCntSrcLimit) },			\
+	{ MIBDECL(pfCntSynproxy) },			\
+	{ MIBDECL(pfStateTable) },			\
+	{ MIBDECL(pfStateCount) },			\
+	{ MIBDECL(pfStateSearches) },			\
+	{ MIBDECL(pfStateInserts) },			\
+	{ MIBDECL(pfStateRemovals) },			\
+	{ MIBDECL(pfLogInterface) },			\
+	{ MIBDECL(pfLogIfName) },			\
+	{ MIBDECL(pfLogIfIpBytesIn) },			\
+	{ MIBDECL(pfLogIfIpBytesOut) },			\
+	{ MIBDECL(pfLogIfIpPktsInPass) },		\
+	{ MIBDECL(pfLogIfIpPktsInDrop) },		\
+	{ MIBDECL(pfLogIfIpPktsOutPass) },		\
+	{ MIBDECL(pfLogIfIpPktsOutDrop) },		\
+	{ MIBDECL(pfLogIfIp6BytesIn) },			\
+	{ MIBDECL(pfLogIfIp6BytesOut) },		\
+	{ MIBDECL(pfLogIfIp6PktsInPass) },		\
+	{ MIBDECL(pfLogIfIp6PktsInDrop) },		\
+	{ MIBDECL(pfLogIfIp6PktsOutPass) },		\
+	{ MIBDECL(pfLogIfIp6PktsOutDrop) },		\
+	{ MIBDECL(pfSrcTracking) },			\
+	{ MIBDECL(pfSrcTrackCount) },			\
+	{ MIBDECL(pfSrcTrackSearches) },		\
+	{ MIBDECL(pfSrcTrackInserts) },			\
+	{ MIBDECL(pfSrcTrackRemovals) },		\
+	{ MIBDECL(pfLimits) },				\
+	{ MIBDECL(pfLimitStates) },			\
+	{ MIBDECL(pfLimitSourceNodes) },		\
+	{ MIBDECL(pfLimitFragments) },			\
+	{ MIBDECL(pfLimitMaxTables) },			\
+	{ MIBDECL(pfLimitMaxTableEntries) },		\
+	{ MIBDECL(pfTimeouts) },			\
+	{ MIBDECL(pfTimeoutTcpFirst) },			\
+	{ MIBDECL(pfTimeoutTcpOpening) },		\
+	{ MIBDECL(pfTimeoutTcpEstablished) },		\
+	{ MIBDECL(pfTimeoutTcpClosing) },		\
+	{ MIBDECL(pfTimeoutTcpFinWait) },		\
+	{ MIBDECL(pfTimeoutTcpClosed) },		\
+	{ MIBDECL(pfTimeoutUdpFirst) },			\
+	{ MIBDECL(pfTimeoutUdpSingle) },		\
+	{ MIBDECL(pfTimeoutUdpMultiple) },		\
+	{ MIBDECL(pfTimeoutIcmpFirst) },		\
+	{ MIBDECL(pfTimeoutIcmpError) },		\
+	{ MIBDECL(pfTimeoutOtherFirst) },		\
+	{ MIBDECL(pfTimeoutOtherSingle) },		\
+	{ MIBDECL(pfTimeoutOtherMultiple) },		\
+	{ MIBDECL(pfTimeoutFragment) },			\
+	{ MIBDECL(pfTimeoutInterval) },			\
+	{ MIBDECL(pfTimeoutAdaptiveStart) },		\
+	{ MIBDECL(pfTimeoutAdaptiveEnd) },		\
+	{ MIBDECL(pfTimeoutSrcTrack) },			\
+	{ MIBDECL(pfInterfaces) },			\
+	{ MIBDECL(pfIfNumber) },			\
+	{ MIBDECL(pfIfTable) },				\
+	{ MIBDECL(pfIfEntry) },				\
+	{ MIBDECL(pfIfIndex) },				\
+	{ MIBDECL(pfIfDescr) },				\
+	{ MIBDECL(pfIfType) },				\
+	{ MIBDECL(pfIfRefs) },				\
+	{ MIBDECL(pfIfRules) },				\
+	{ MIBDECL(pfIfIn4PassPkts) },			\
+	{ MIBDECL(pfIfIn4PassBytes) },			\
+	{ MIBDECL(pfIfIn4BlockPkts) },			\
+	{ MIBDECL(pfIfIn4BlockBytes) },			\
+	{ MIBDECL(pfIfOut4PassPkts) },			\
+	{ MIBDECL(pfIfOut4PassBytes) },			\
+	{ MIBDECL(pfIfOut4BlockPkts) },			\
+	{ MIBDECL(pfIfOut4BlockBytes) },		\
+	{ MIBDECL(pfIfIn6PassPkts) },			\
+	{ MIBDECL(pfIfIn6PassBytes) },			\
+	{ MIBDECL(pfIfIn6BlockPkts) },			\
+	{ MIBDECL(pfIfIn6BlockBytes) },			\
+	{ MIBDECL(pfIfOut6PassPkts) },			\
+	{ MIBDECL(pfIfOut6PassBytes) },			\
+	{ MIBDECL(pfIfOut6BlockPkts) },			\
+	{ MIBDECL(pfIfOut6BlockBytes) },		\
+	{ MIBDECL(pfTables) },				\
+	{ MIBDECL(pfTblNumber) },			\
+	{ MIBDECL(pfTblTable) },			\
+	{ MIBDECL(pfTblEntry) },			\
+	{ MIBDECL(pfTblIndex) },			\
+	{ MIBDECL(pfTblName) },				\
+	{ MIBDECL(pfTblAddresses) },			\
+	{ MIBDECL(pfTblAnchorRefs) },			\
+	{ MIBDECL(pfTblRuleRefs) },			\
+	{ MIBDECL(pfTblEvalsMatch) },			\
+	{ MIBDECL(pfTblEvalsNoMatch) },			\
+	{ MIBDECL(pfTblInPassPkts) },			\
+	{ MIBDECL(pfTblInPassBytes) },			\
+	{ MIBDECL(pfTblInBlockPkts) },			\
+	{ MIBDECL(pfTblInBlockBytes) },			\
+	{ MIBDECL(pfTblInXPassPkts) },			\
+	{ MIBDECL(pfTblInXPassBytes) },			\
+	{ MIBDECL(pfTblOutPassPkts) },			\
+	{ MIBDECL(pfTblOutPassBytes) },			\
+	{ MIBDECL(pfTblOutBlockPkts) },			\
+	{ MIBDECL(pfTblOutBlockBytes) },		\
+	{ MIBDECL(pfTblOutXPassPkts) },			\
+	{ MIBDECL(pfTblOutXPassBytes) },		\
+	{ MIBDECL(pfTblStatsCleared) },			\
+	{ MIBDECL(pfTblAddrTable) },			\
+	{ MIBDECL(pfTblAddrEntry) },			\
+	{ MIBDECL(pfTblAddrTblIndex) },			\
+	{ MIBDECL(pfTblAddrNet) },			\
+	{ MIBDECL(pfTblAddrMask) },			\
+	{ MIBDECL(pfTblAddrCleared) },			\
+	{ MIBDECL(pfTblAddrInBlockPkts) },		\
+	{ MIBDECL(pfTblAddrInBlockBytes) },		\
+	{ MIBDECL(pfTblAddrInPassPkts) },		\
+	{ MIBDECL(pfTblAddrInPassBytes) },		\
+	{ MIBDECL(pfTblAddrOutBlockPkts) },		\
+	{ MIBDECL(pfTblAddrOutBlockBytes) },		\
+	{ MIBDECL(pfTblAddrOutPassPkts) },		\
+	{ MIBDECL(pfTblAddrOutPassBytes) },		\
+	{ MIBDECL(pfLabels) },				\
+	{ MIBDECL(pfLabelNumber) },			\
+	{ MIBDECL(pfLabelTable) },			\
+	{ MIBDECL(pfLabelEntry) },			\
+	{ MIBDECL(pfLabelIndex) },			\
+	{ MIBDECL(pfLabelName) },			\
+	{ MIBDECL(pfLabelEvals) },			\
+	{ MIBDECL(pfLabelPkts) },			\
+	{ MIBDECL(pfLabelBytes) },			\
+	{ MIBDECL(pfLabelInPkts) },			\
+	{ MIBDECL(pfLabelInBytes) },			\
+	{ MIBDECL(pfLabelOutPkts) },			\
+	{ MIBDECL(pfLabelOutBytes) },			\
+	{ MIBDECL(pfLabelTotalStates) },		\
+	{ MIBDECL(pfsyncStats) },			\
+	{ MIBDECL(pfsyncIpPktsRecv) },			\
+	{ MIBDECL(pfsyncIp6PktsRecv) },			\
+	{ MIBDECL(pfsyncPktDiscardsForBadInterface) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadTtl) },	\
+	{ MIBDECL(pfsyncPktShorterThanHeader) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadVersion) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadAction) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadLength) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadAuth) },	\
+	{ MIBDECL(pfsyncPktDiscardsForStaleState) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadValues) },	\
+	{ MIBDECL(pfsyncPktDiscardsForBadState) },	\
+	{ MIBDECL(pfsyncIpPktsSent) },			\
+	{ MIBDECL(pfsyncIp6PktsSent) },			\
+	{ MIBDECL(pfsyncNoMemory) },			\
+	{ MIBDECL(pfsyncOutputErrors) },		\
 	{ MIBDECL(sensorsMIBObjects) },			\
 	{ MIBDECL(sensors) },				\
 	{ MIBDECL(sensorNumber) },			\
diff --git a/usr.sbin/snmpd/pf.c b/usr.sbin/snmpd/pf.c
new file mode 100644
index 00000000000..8194d64a475
--- /dev/null
+++ b/usr.sbin/snmpd/pf.c
@@ -0,0 +1,483 @@
+/*	$OpenBSD: pf.c,v 1.1 2012/02/23 03:54:38 joel Exp $	*/
+
+/*
+ * Copyright (c) 2012 Joel Knight <joel@openbsd.org>
+ * Copyright (c) 2002 Cedric Berger
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+
+#include <net/if.h>
+#include <net/pfvar.h>
+#include <arpa/inet.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <event.h>
+
+#include "snmpd.h"
+
+int	 devpf = 0;
+
+size_t 	 buf_esize[PFRB_MAX] = { 0,
+	sizeof(struct pfr_table), sizeof(struct pfr_tstats),
+	sizeof(struct pfr_addr), sizeof(struct pfr_astats),
+	sizeof(struct pfi_kif), sizeof(struct pfioc_trans_e)
+};
+
+int
+pf_init(void)
+{
+	if ((devpf = open("/dev/pf", O_RDONLY)) == -1)
+		return (1);
+
+	return (0);
+}
+
+int
+pf_get_stats(struct pf_status *s)
+{
+	extern int	 devpf;
+
+	memset(s, 0, sizeof(s));
+	if (ioctl(devpf, DIOCGETSTATUS, s)) {
+		log_warn("DIOCGETSTATUS");
+		return (-1);
+	}
+
+	return (0);
+}
+
+int
+pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
+		int flags)
+{
+	struct pfioc_table	 io;
+	extern int		 devpf;
+
+	if (tbl == NULL || size == NULL || *size < 0 ||
+	    (*size && addr == NULL)) 
+		return (-1);
+
+	bzero(&io, sizeof io);
+	io.pfrio_flags = flags;
+	io.pfrio_table = *tbl;
+	io.pfrio_buffer = addr;
+	io.pfrio_esize = sizeof(*addr);
+	io.pfrio_size = *size;
+	if (ioctl(devpf, DIOCRGETASTATS, &io)) 
+		return (-1);
+	*size = io.pfrio_size;
+	return (0);
+}
+
+int
+pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
+	int flags)
+{
+	struct pfioc_table	 io;
+	extern int		 devpf;
+
+	if (size == NULL || *size < 0 || (*size && tbl == NULL))
+		return (-1);
+	bzero(&io, sizeof io);
+	io.pfrio_flags = flags;
+	if (filter != NULL)
+		io.pfrio_table = *filter;
+	io.pfrio_buffer = tbl;
+	io.pfrio_esize = sizeof(*tbl);
+	io.pfrio_size = *size;
+	if (ioctl(devpf, DIOCRGETTSTATS, &io))
+		return (-1);
+	*size = io.pfrio_size;
+	return (0);
+}
+
+int
+pfr_buf_grow(struct pfr_buffer *b, int minsize)
+{
+	caddr_t	 p;
+	size_t 	 bs;
+
+	if (minsize != 0 && minsize <= b->pfrb_msize)
+		return (0);
+	bs = buf_esize[b->pfrb_type];
+	if (!b->pfrb_msize) {
+		if (minsize < 64)
+			minsize = 64;
+		b->pfrb_caddr = calloc(bs, minsize);
+		if (b->pfrb_caddr == NULL)
+			return (-1);
+		b->pfrb_msize = minsize;
+	} else {
+		if (minsize == 0)
+			minsize = b->pfrb_msize * 2;
+		if (minsize < 0 || minsize >= SIZE_T_MAX / bs) {
+			/* msize overflow */
+			return (-1);
+		}
+		p = realloc(b->pfrb_caddr, minsize * bs);
+		if (p == NULL)
+			return (-1);
+		bzero(p + b->pfrb_msize * bs, (minsize - b->pfrb_msize) * bs);
+		b->pfrb_caddr = p;
+		b->pfrb_msize = minsize;
+	}
+	return (0);
+}
+
+void *
+pfr_buf_next(struct pfr_buffer *b, const void *prev)
+{
+	size_t	 bs;
+
+	if (b == NULL)
+		return (NULL);
+	if (b->pfrb_size == 0)
+		return (NULL);
+	if (prev == NULL) 
+		return (b->pfrb_caddr);
+	bs = buf_esize[b->pfrb_type];
+	if ((((caddr_t)prev)-((caddr_t)b->pfrb_caddr)) / bs >= b->pfrb_size-1)
+		return (NULL);
+
+	return (((caddr_t)prev) + bs);
+}
+
+int
+pfi_get_ifaces(const char *filter, struct pfi_kif *buf, int *size)
+{
+	struct pfioc_iface	 io;
+	extern int		 devpf;
+
+	if (size == NULL || *size < 0 || (*size && buf == NULL)) {
+		errno = EINVAL;
+		return (-1);
+	}
+	bzero(&io, sizeof io);
+	if (filter != NULL)
+		if (strlcpy(io.pfiio_name, filter, sizeof(io.pfiio_name)) >=
+		    sizeof(io.pfiio_name)) {
+			errno = EINVAL;
+			return (-1);
+		}
+	io.pfiio_buffer = buf;
+	io.pfiio_esize = sizeof(*buf);
+	io.pfiio_size = *size;
+	if (ioctl(devpf, DIOCIGETIFACES, &io))
+		return (-1);
+	*size = io.pfiio_size;
+	return (0);
+}
+
+int
+pfi_get(struct pfr_buffer *b, const char *filter)
+{
+	bzero(b, sizeof(struct pfr_buffer));
+	b->pfrb_type = PFRB_IFACES;
+	for (;;) {
+		pfr_buf_grow(b, b->pfrb_size);
+		b->pfrb_size = b->pfrb_msize;
+		if (pfi_get_ifaces(filter, b->pfrb_caddr, &(b->pfrb_size)))
+			return (1);
+		if (b->pfrb_size <= b->pfrb_msize)
+			break;
+	}
+
+	return (0);
+}
+
+int
+pfi_count(void)
+{
+	struct pfr_buffer 	 b;
+	struct pfi_kif 		*p;
+	int			 c = 0;
+
+	if (pfi_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(p, &b)
+		c++;
+
+	free(b.pfrb_caddr);
+	return (c);
+}
+
+int
+pfi_get_if(struct pfi_kif *rp, int idx)
+{
+	struct pfr_buffer	 b;
+	struct pfi_kif		*p;
+	int			 i = 1;
+
+	if (pfi_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(p, &b) {
+		if (i == idx)
+			break;
+		i++;
+	}
+
+	if (p == NULL) {
+		free(b.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(p, rp, sizeof(struct pfi_kif));
+	free(b.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pft_get(struct pfr_buffer *b, struct pfr_table *filter)
+{
+	bzero(b, sizeof(struct pfr_buffer));
+	b->pfrb_type = PFRB_TSTATS;
+	
+	for (;;) {
+		pfr_buf_grow(b, b->pfrb_size);
+		b->pfrb_size = b->pfrb_msize;
+		if (pfr_get_tstats(filter, b->pfrb_caddr, &(b->pfrb_size), 0))
+			return (1);
+		if (b->pfrb_size <= b->pfrb_msize)
+			break;
+	}
+
+	return (0);
+}
+
+int
+pft_get_table(struct pfr_tstats *rts, int idx)
+{
+	struct pfr_buffer	 b;
+	struct pfr_tstats	*ts;
+	int			 i = 1;
+
+	if (pft_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(ts, &b) {
+		if (!(ts->pfrts_flags & PFR_TFLAG_ACTIVE))
+			continue;
+		if (i == idx)
+			break;
+		i++;
+	}
+
+	if (ts == NULL) {
+		free(b.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(ts, rts, sizeof(struct pfr_tstats));
+	free(b.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pft_count(void)
+{
+	struct pfr_buffer	 b;
+	struct pfr_tstats	*ts;
+	int			 c = 0;
+
+	if (pft_get(&b, NULL))
+		return (-1);
+
+	PFRB_FOREACH(ts, &b) {
+		if (!(ts->pfrts_flags & PFR_TFLAG_ACTIVE))
+			continue;
+		c++;
+	}
+
+	free(b.pfrb_caddr);
+	return (c);
+}
+
+int
+pfta_get(struct pfr_buffer *b, struct pfr_table *filter)
+{
+	bzero(b, sizeof(struct pfr_buffer));
+	b->pfrb_type = PFRB_ASTATS;
+
+	for (;;) {
+		pfr_buf_grow(b, b->pfrb_size);
+		b->pfrb_size = b->pfrb_msize;
+		if (pfr_get_astats(filter, b->pfrb_caddr, &(b->pfrb_size), 0)) {
+			return (1);
+		}
+		if (b->pfrb_size <= b->pfrb_msize)
+			break;
+	}
+	
+	return (0);
+}
+
+int
+pfta_get_addr(struct pfr_astats *ras, int tblidx)
+{
+	struct pfr_buffer	 ba;
+	struct pfr_tstats	 ts;
+	struct pfr_table	 filter;
+	struct pfr_astats	*as;
+
+	if (pft_get_table(&ts, tblidx))
+		return (-1);
+
+	bzero(&filter, sizeof(filter));
+	if (strlcpy(filter.pfrt_name, ts.pfrts_name,
+	    sizeof(filter.pfrt_name)) >= sizeof(filter.pfrt_name)) {
+		return (-1);
+	}
+
+	if (pfta_get(&ba, &filter) || ba.pfrb_size == 0) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	PFRB_FOREACH(as, &ba) {
+		if (as->pfras_a.pfra_af != AF_INET)
+			continue;
+		if ((memcmp(&as->pfras_a.pfra_ip4addr, &ras->pfras_a.pfra_ip4addr,
+		    sizeof(as->pfras_a.pfra_ip4addr)) == 0)
+		    && (as->pfras_a.pfra_net == ras->pfras_a.pfra_net))
+			break;
+	}
+
+	if (as == NULL) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(as, ras, sizeof(struct pfr_astats));
+	free(ba.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pfta_get_nextaddr(struct pfr_astats *ras, int *tblidx)
+{
+	struct pfr_buffer	 ba;
+	struct pfr_tstats	 ts;
+	struct pfr_table	 filter;
+	struct pfr_astats	*as;
+	int			 i, found = 0;
+
+	ba.pfrb_caddr = NULL;
+
+	for (i = *tblidx; !pft_get_table(&ts, i); i++) {
+		bzero(&filter, sizeof(filter));
+		if (strlcpy(filter.pfrt_name, ts.pfrts_name,
+		    sizeof(filter.pfrt_name)) >= sizeof(filter.pfrt_name))
+			goto fail;
+
+		if (pfta_get(&ba, &filter) || ba.pfrb_size == 0)
+			goto fail;
+
+		PFRB_FOREACH(as, &ba) {
+			if (found)
+				goto found;
+			if (as->pfras_a.pfra_af != AF_INET)
+				continue;
+			if ((memcmp(&as->pfras_a.pfra_ip4addr,
+			    &ras->pfras_a.pfra_ip4addr,
+			    sizeof(as->pfras_a.pfra_ip4addr)) == 0)
+			    && (as->pfras_a.pfra_net == ras->pfras_a.pfra_net))
+				found = 1;
+		}
+	}
+
+
+ fail:
+	free(ba.pfrb_caddr);
+
+	return (-1);
+
+ found:
+	bcopy(as, ras, sizeof(struct pfr_astats));
+	*tblidx = i;
+
+	free(ba.pfrb_caddr);
+
+	return (0);
+}
+
+int
+pfta_get_first(struct pfr_astats *ras)
+{
+	struct pfr_buffer	 ba;
+	struct pfr_tstats	 ts;
+	struct pfr_table	 filter;
+	struct pfr_astats	*as;
+
+	if (pft_get_table(&ts, 1))
+		return (-1);
+
+	bzero(&filter, sizeof(filter));
+	if (strlcpy(filter.pfrt_name, ts.pfrts_name,
+	    sizeof(filter.pfrt_name)) >= sizeof(filter.pfrt_name)) {
+		return (-1);
+	}
+
+	if (pfta_get(&ba, &filter) || ba.pfrb_size == 0) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	/* take the first AF_INET addr */
+	PFRB_FOREACH(as, &ba) {
+		if (as->pfras_a.pfra_af != AF_INET)
+			continue;
+		break;
+	}
+
+	if (as == NULL) {
+		free(ba.pfrb_caddr);
+		return (-1);
+	}
+
+	bcopy(as, ras, sizeof(struct pfr_astats));
+	free(ba.pfrb_caddr);
+
+	return (0);
+}
+
diff --git a/usr.sbin/snmpd/snmpd.c b/usr.sbin/snmpd/snmpd.c
index 6a3bd9d6130..1c8d1c2897b 100644
--- a/usr.sbin/snmpd/snmpd.c
+++ b/usr.sbin/snmpd/snmpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpd.c,v 1.9 2009/06/06 05:52:01 pyr Exp $	*/
+/*	$OpenBSD: snmpd.c,v 1.10 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -174,6 +174,9 @@ main(int argc, char *argv[])
 
 	log_info("startup");
 
+	if (pf_init())
+		fatal("cannot open /dev/pf");
+
 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC,
 	    pipe_parent2snmpe) == -1)
 		fatal("socketpair");
diff --git a/usr.sbin/snmpd/snmpd.h b/usr.sbin/snmpd/snmpd.h
index e6c2a41d92a..ed0d1ddca7a 100644
--- a/usr.sbin/snmpd/snmpd.h
+++ b/usr.sbin/snmpd/snmpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: snmpd.h,v 1.32 2012/02/01 18:44:06 camield Exp $	*/
+/*	$OpenBSD: snmpd.h,v 1.33 2012/02/23 03:54:38 joel Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@vantronix.net>
@@ -22,6 +22,7 @@
 
 #include <netinet/in.h>
 #include <netinet/if_ether.h>
+#include <net/pfvar.h>
 #include <net/route.h>
 
 #include <ber.h>
@@ -208,6 +209,31 @@ struct oid {
 #define MIBEND			{ { 0 } }, NULL
 
 /*
+ * pf
+ */
+
+enum {	PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
+	PFRB_IFACES, PFRB_TRANS, PFRB_MAX };
+
+enum {  IN, OUT };
+enum {  IPV4, IPV6 };
+enum {  PASS, BLOCK };
+
+enum {  PFI_IFTYPE_GROUP, PFI_IFTYPE_INSTANCE };
+
+struct pfr_buffer {
+	int	 pfrb_type;	/* type of content, see enum above */
+	int	 pfrb_size;	/* number of objects in buffer */
+	int	 pfrb_msize;	/* maximum number of objects in buffer */
+	void	*pfrb_caddr;	/* malloc'ated memory area */
+};
+
+#define PFRB_FOREACH(var, buf)				\
+	for ((var) = pfr_buf_next((buf), NULL);		\
+	    (var) != NULL;				\
+	    (var) = pfr_buf_next((buf), (var)))
+
+/*
  * daemon structures
  */
 
@@ -382,6 +408,27 @@ void		 mps_encodeinaddr(struct ber_oid *, struct in_addr *, int);
 void		 mps_decodeinaddr(struct ber_oid *, struct in_addr *, int);
 struct ber_oid	*mps_table(struct oid *, struct ber_oid *, struct ber_oid *);
 
+/* pf.c */
+int			 pf_init(void);
+int			 pf_get_stats(struct pf_status *);
+int			 pfr_get_astats(struct pfr_table *, struct pfr_astats *,
+			    int *, int);
+int			 pfr_get_tstats(struct pfr_table *, struct pfr_tstats *,
+			    int *, int);
+int			 pfr_buf_grow(struct pfr_buffer *, int);
+void			*pfr_buf_next(struct pfr_buffer *, const void *);
+int			 pfi_get_ifaces(const char *, struct pfi_kif *, int *);
+int	 		 pfi_get(struct pfr_buffer *, const char *);
+int	 	 	 pfi_count(void);
+int			 pfi_get_if(struct pfi_kif *, int);
+int			 pft_get(struct pfr_buffer *, struct pfr_table *);
+int			 pft_count(void);
+int		 	 pft_get_table(struct pfr_tstats *, int);
+int			 pfta_get(struct pfr_buffer *, struct pfr_table *);
+int			 pfta_get_addr(struct pfr_astats *, int);
+int			 pfta_get_nextaddr(struct pfr_astats *, int *);
+int			 pfta_get_first(struct pfr_astats *);
+
 /* smi.c */
 int		 smi_init(void);
 u_long		 smi_getticks(void);