Add initial support for pf state synchronization over the network.

Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
  added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
  be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
  packets on pfsync no longer contains regular pf_state structs,
  but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

1 files changed, 13 insertions, 2 deletions

diff --git a/usr.sbin/tcpdump/print-ip.c b/usr.sbin/tcpdump/print-ip.c
index 38adc28f95a..2ce375185a7 100644
--- a/usr.sbin/tcpdump/print-ip.c
+++ b/usr.sbin/tcpdump/print-ip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-ip.c,v 1.19 2003/02/20 23:39:20 jason Exp $	*/
+/*	$OpenBSD: print-ip.c,v 1.20 2003/12/15 07:11:31 mcbride Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/print-ip.c,v 1.19 2003/02/20 23:39:20 jason Exp $ (LBL)";
+    "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/print-ip.c,v 1.20 2003/12/15 07:11:31 mcbride Exp $ (LBL)";
 #endif
 
 #include <sys/param.h>
@@ -557,6 +557,17 @@ ip_print(register const u_char *bp, register u_int length)
 			vrrp_print(cp, len, ip->ip_ttl);
 			break;
 
+#ifndef IPPROTO_PFSYNC  
+#define IPPROTO_PFSYNC 136
+#endif
+		case IPPROTO_PFSYNC:
+			if (vflag)
+				(void)printf("pfsync %s > %s: ",
+					     ipaddr_string(&ip->ip_src),
+					     ipaddr_string(&ip->ip_dst));
+			pfsync_ip_print(cp, len, (const u_char *)ip);
+			break;
+
 		default:
 			(void)printf("%s > %s:", ipaddr_string(&ip->ip_src),
 				ipaddr_string(&ip->ip_dst));