enable support for deferring the packet that creates a state so that your

sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.

this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.

use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.

tested by sthen@ who loves it. he's got manpage changes coming up for me.

1 files changed, 4 insertions, 3 deletions

diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h
index 2c124276cbd..8ffd5ca24c4 100644
--- a/sys/net/if_pfsync.h
+++ b/sys/net/if_pfsync.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.h,v 1.37 2009/03/31 01:21:29 dlg Exp $	*/
+/*	$OpenBSD: if_pfsync.h,v 1.38 2009/06/14 00:16:50 dlg Exp $	*/
 
 /*
  * Copyright (c) 2001 Michael Shalayeff
@@ -159,7 +159,8 @@ struct pfsync_upd_c {
 	u_int32_t			creatorid;
 	u_int32_t			expire;
 	u_int8_t			timeout;
-	u_int8_t			_pad[3];
+	u_int8_t			state_flags;
+	u_int8_t			_pad[2];
 } __packed;
 
 /*
@@ -263,7 +264,7 @@ struct pfsyncreq {
 	char		 pfsyncr_syncdev[IFNAMSIZ];
 	struct in_addr	 pfsyncr_syncpeer;
 	int		 pfsyncr_maxupdates;
-	int		 pfsyncr_authlevel;
+	int		 pfsyncr_defer;
 };
 
 #ifdef _KERNEL