Import userland of pf 3.5 from OpenBSD (OPENBSD_3_5_BASE).

5 files changed, 547 insertions, 120 deletions

diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4
index f01dcb3..df0ff6c 100644
--- a/contrib/pf/man/pf.4
+++ b/contrib/pf/man/pf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.37 2003/08/28 09:41:22 jmc Exp $
+.\"	$OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -33,7 +33,7 @@
 .Nm pf
 .Nd packet filter
 .Sh SYNOPSIS
-.Cd "pseudo-device pf 1"
+.Cd "pseudo-device pf"
 .Sh DESCRIPTION
 Packet filtering takes place in the kernel.
 A pseudo-device,
@@ -72,11 +72,7 @@ Stops the packet filter.
 Starts the ALTQ bandwidth control system.
 .It Dv DIOCSTOPALTQ
 Stops the ALTQ bandwidth control system.
-.It Dv DIOCBEGINADDRS  Fa "u_int32_t"
-Clears the buffer address pool
-and returns a ticket for subsequent DIOCADDADDR, DIOCADDRULE and
-DIOCCHANGERULE calls.
-.It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
+.It Dv DIOCBEGINADDRS  Fa "struct pfioc_pooladdr"
 .Bd -literal
 struct pfioc_pooladdr {
 	u_int32_t		action;
@@ -92,16 +88,17 @@ struct pfioc_pooladdr {
 };
 .Ed
 .Pp
+Clears the buffer address pool
+and returns a
+.Va ticket
+for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
+.It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
+.Pp
 Adds pool address
 .Va addr
 to the buffer address pool to be used in the following
 DIOCADDRULE or DIOCCHANGERULE call.
 All other members of the structure are ignored.
-.It Dv DIOCBEGINRULES  Fa "u_int32_t"
-Clears the inactive ruleset for the type of rule indicated by
-.Va rule.action
-and returns a ticket for subsequent
-DIOCADDRULE and DIOCCOMMITRULES calls.
 .It Dv DIOCADDRULE     Fa "struct pfioc_rule"
 .Bd -literal
 struct pfioc_rule {
@@ -120,7 +117,7 @@ Adds
 at the end of the inactive ruleset.
 Requires
 .Va ticket
-obtained through preceding DIOCBEGINRULES call, and
+obtained through preceding DIOCXBEGIN call, and
 .Va pool_ticket
 obtained through DIOCBEGINADDRS call.
 DIOCADDADDR must also be called if any pool addresses are required.
@@ -133,26 +130,16 @@ names indicate the anchor and ruleset in which to append the rule.
 and
 .Va action
 are ignored.
-.It Dv DIOCCOMMITRULES Fa "u_int32_t"
-Switch inactive to active filter ruleset.
-Requires
-.Va ticket .
-.It Dv DIOCBEGINALTQS  Fa "u_int32_t"
-Clears the inactive list of queues and returns a ticket for subsequent
-DIOCADDALTQ and DIOCCOMMITALTQS calls.
 .It Dv DIOCADDALTQ     Fa "struct pfioc_altq"
 Adds
 .Bd -literal
 struct pfioc_altq {
+	u_int32_t	action;
 	u_int32_t	ticket;
 	u_int32_t	nr;
 	struct pf_altq   altq;
 };
 .Ed
-.It Dv DIOCCOMMITALTQS Fa "u_int32_t"
-Switch inactive to active list of queues.
-Requires
-.Va ticket .
 .It Dv DIOCGETRULES    Fa "struct pfioc_rule"
 Returns
 .Va ticket
@@ -224,8 +211,6 @@ of length
 .Va nbytes
 for the queue specified by
 .Va nr .
-.It Dv DIOCCLRSTATES
-Clears the state table.
 .It Dv DIOCADDSTATE    Fa "struct pfioc_state"
 Adds a state entry.
 .It Dv DIOCGETSTATE    Fa "struct pfioc_state"
@@ -246,8 +231,16 @@ struct pfioc_state_kill {
 	int			psk_proto;
 	struct pf_rule_addr	psk_src;
 	struct pf_rule_addr	psk_dst;
+	char			psk_ifname[IFNAMSIZ];
 };
 .Ed
+.It Dv DIOCCLRSTATES  Fa "struct pfioc_state_kill"
+Clears all states.
+It works like
+.Dv DIOCKILLSTATES ,
+but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the
+.Fa pfioc_state_kill
+structure.
 .It Dv DIOCSETSTATUSIF Fa "struct pfioc_if"
 .Bd -literal
 struct pfioc_if {
@@ -259,14 +252,19 @@ Specifies the interface for which statistics are accumulated.
 .It Dv DIOCGETSTATUS   Fa "struct pf_status"
 .Bd -literal
 struct pf_status {
-	u_int64_t	 counters[PFRES_MAX];
-	u_int64_t	 fcounters[FCNT_MAX];
-	u_int64_t	 pcounters[2][2][3];
-	u_int64_t	 bcounters[2][2];
-	u_int32_t	 running;
-	u_int32_t	 states;
-	u_int32_t	 since;
-	u_int32_t	 debug;
+	u_int64_t	counters[PFRES_MAX];
+	u_int64_t	fcounters[FCNT_MAX];
+	u_int64_t	scounters[SCNT_MAX];
+	u_int64_t	pcounters[2][2][3];
+	u_int64_t	bcounters[2][2];
+	u_int64_t	stateid;
+	u_int32_t	running;
+	u_int32_t	states;
+	u_int32_t	src_nodes;
+	u_int32_t	since;
+	u_int32_t	debug;
+	u_int32_t	hostid;
+	char		ifname[IFNAMSIZ];
 };
 .Ed
 .Pp
@@ -285,7 +283,7 @@ struct pfioc_natlook {
 	u_int16_t	 dport;
 	u_int16_t	 rsport;
 	u_int16_t	 rdport;
-	u_int8_t	 af;
+	sa_family_t	 af;
 	u_int8_t	 proto;
 	u_int8_t	 direction;
 };
@@ -525,19 +523,6 @@ or deleted by the kernel.
 Yes, tables can be deleted if one removes the
 .Va persist
 flag of an unreferenced table.
-.It Dv DIOCRINABEGIN Fa "struct pfioc_table"
-Starts a transaction with the inactive set of tables.
-Cleans up any leftover from a previously aborted transaction, and returns
-a new ticket.
-On exit, pfrio_ndel contains the number of leftover table deleted, and
-pfrio_ticket contains a valid ticket to use for the following two IOCTLs.
-.It Dv DIOCRINACOMMIT Fa "struct pfioc_table"
-Commit the inactive set of tables into the active set.
-While copying the addresses, do a best effort to keep statistics for
-addresses present before and after the commit.
-On entry, io->pfrio_ticket takes a valid ticket.
-On exit, io->pfrio_nadd and io->pfrio_nchange contain the number of tables
-added and altered by the commit operation.
 .It Dv DIOCRINADEFINE Fa "struct pfioc_table"
 Defines a table in the inactive set.
 On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
@@ -546,6 +531,46 @@ A valid ticket must also be supplied to pfrio_ticket.
 On exit, pfrio_nadd contains 0 if the table was already defined in the
 inactive list, or 1 if a new table has been created.
 pfrio_naddr contains the number of addresses effectively put in the table.
+.It Dv DIOCXBEGIN Fa "struct pfioc_trans"
+.Bd -literal
+#define PF_RULESET_ALTQ         (PF_RULESET_MAX)
+#define PF_RULESET_TABLE        (PF_RULESET_MAX+1)
+struct pfioc_trans {
+        int              size;  /* number of elements */
+        int              esize; /* size of each element in bytes */
+        struct pfioc_trans_e {
+                int             rs_num;
+                char            anchor[PF_ANCHOR_NAME_SIZE];
+                char            ruleset[PF_RULESET_NAME_SIZE];
+                u_int32_t       ticket;
+        }               *array;
+};
+.Ed
+.Pp
+Clears all the inactive rulesets specified in the
+.Fa "struct pfioc_trans_e"
+array.
+For each ruleset, a ticket is returned for subsequent "add rule" IOCTLs,
+as well as for the
+.Dv DIOCXCOMMIT
+and
+.Dv DIOCXROLLBACK
+calls.
+.It Dv DIOCXCOMMIT Fa "struct pfioc_trans"
+Atomically switch a vector of inactive rulesets to the active rulesets.
+Implemented as a standard 2-phase commit, which will either fail for all
+rulesets or completely succeed.
+All tickets need to be valid.
+Returns
+.Dv EBUSY
+if a concurrent process is trying to update some of the same rulesets
+concurrently.
+.It Dv DIOCXROLLBACK Fa "struct pfioc_trans"
+Clean up the kernel by undoing all changes that have taken place on the
+inactive rulesets since the last
+.Dv DIOCXBEGIN .
+.Dv DIOCXROLLBACK
+will silently ignore rulesets for which the ticket is invalid.
 .It Dv DIOCFPFLUSH
 Flush the passive OS fingerprint table.
 .It Dv DIOCFPADD Fa "struct pf_osfp_ioctl"
@@ -623,6 +648,115 @@ The rest of the structure members will come back filled.
 Get the whole list by repeatedly incrementing the
 .Va fp_getnum
 number until the ioctl returns EBUSY.
+.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes"
+.Bd -literal
+struct pfioc_src_nodes {
+        int     psn_len;
+        union {
+                caddr_t          psu_buf;
+                struct pf_src_node      *psu_src_nodes;
+        } psn_u;
+#define psn_buf         psn_u.psu_buf
+#define psn_src_nodes   psn_u.psu_src_nodes
+};
+.Ed
+.Pp
+Get the list of source nodes kept by the
+.Ar sticky-address
+and
+.Ar source-track
+options.
+The ioctl must be called once with
+.Va psn_len
+set to 0.
+If the ioctl returns without error,
+.Va psn_len
+will be set to the size of the buffer required to hold all the
+.Va pf_src_node
+structures held in the table.
+A buffer of this size should then be allocated, and a pointer to this buffer
+placed in
+.Va psn_buf .
+The ioctl must then be called again to fill this buffer with the actual
+source node data.
+After the ioctl call
+.Va psn_len
+will be set to the length of the buffer actually used.
+.It Dv DIOCCLRSRCNODES Fa "struct pfioc_table"
+Clear the tree of source tracking nodes.
+.It Dv DIOCIGETIFACES Fa "struct pfioc_iface"
+Gets the list of interfaces and interface drivers known to
+.Nm .
+All the IOCTLs that manipulate interfaces
+use the same structure described below:
+.Bd -literal
+struct pfioc_iface {
+        char                     pfiio_name[IFNAMSIZ];
+        void                    *pfiio_buffer;
+        int                      pfiio_esize;
+        int                      pfiio_size;
+        int                      pfiio_nzero;
+        int                      pfiio_flags;
+};
+
+#define PFI_FLAG_GROUP     0x0001  /* gets groups of interfaces */
+#define PFI_FLAG_INSTANCE  0x0002  /* gets single interfaces */
+#define PFI_FLAG_ALLMASK   0x0003
+.Ed
+.Pp
+If not empty,
+.Va pfiio_name
+can be used to restrict the search to a specific interface or driver.
+.Va pfiio_buffer[pfiio_size]
+is the user-supplied buffer for returning the data.
+On entry,
+.Va pfiio_size
+represents the number of
+.Va pfi_if
+entries that can fit into the buffer.
+The kernel will replace this value by the real number of entries it wants
+to return.
+.Va pfiio_esize
+should be set to sizeof(struct pfi_if).
+.Va pfiio_flags
+should be set to
+.Dv PFI_FLAG_GROUP , PFI_FLAG_INSTANCE ,
+or both to tell the kernel to return a group of interfaces
+(drivers, like "fxp"), real interface instances (like "fxp1") or both.
+The data is returned in the
+.Va pfi_if
+structure described below:
+.Bd -literal
+struct pfi_if {
+        char                             pfif_name[IFNAMSIZ];
+        u_int64_t                        pfif_packets[2][2][2];
+        u_int64_t                        pfif_bytes[2][2][2];
+        u_int64_t                        pfif_addcnt;
+        u_int64_t                        pfif_delcnt;
+        long                             pfif_tzero;
+        int                              pfif_states;
+        int                              pfif_rules;
+        int                              pfif_flags;
+};
+
+#define PFI_IFLAG_GROUP         0x0001  /* group of interfaces */
+#define PFI_IFLAG_INSTANCE      0x0002  /* single instance */
+#define PFI_IFLAG_CLONABLE      0x0010  /* clonable group */
+#define PFI_IFLAG_DYNAMIC       0x0020  /* dynamic group */
+#define PFI_IFLAG_ATTACHED      0x0040  /* interface attached */
+#define PFI_IFLAG_REFERENCED    0x0080  /* referenced by rules */
+.Ed
+.It Dv DIOCICLRISTATS Fa "struct pfioc_iface"
+Clear the statistics counters of one or more interfaces.
+.Va pfiio_name
+and
+.Va pfrio_flags
+can be used to select which interfaces need to be cleared.
+The filtering process is the same as for
+.Dv DIOCIGETIFACES .
+.Va pfiio_nzero
+will be set by the kernel to the number of interfaces and drivers
+that have been cleared.
 .El
 .Sh EXAMPLES
 The following example demonstrates how to use the DIOCNATLOOK command
diff --git a/contrib/pf/man/pf.conf.5 b/contrib/pf/man/pf.conf.5
index 9881318..b5db412 100644
--- a/contrib/pf/man/pf.conf.5
+++ b/contrib/pf/man/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.271 2003/09/02 18:37:08 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.292 2004/02/24 05:44:48 mcbride Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -234,6 +234,9 @@ command.
 Interval between purging expired states and fragments.
 .It Ar frag
 Seconds before an unassembled fragment is expired.
+.It Ar src.track
+Length of time to retain a source tracking entry after the last state
+expires.
 .El
 .Pp
 When a packet matches a stateful connection, the seconds to live for the
@@ -366,10 +369,21 @@ sets the maximum number of entries in the memory pool used for fragment
 reassembly (generated by
 .Ar scrub
 rules) to 20000.
+Finally,
+.Bd -literal -offset indent
+set limit src-nodes 2000
+.Ed
+.Pp
+sets the maximum number of entries in the memory pool used for tracking
+source IP addresses (generated by the
+.Ar sticky-address
+and
+.Ar source-track
+options) to 2000.
 .Pp
 These can be combined:
 .Bd -literal -offset indent
-set limit { states 20000, frags 20000 }
+set limit { states 20000, frags 20000, src-nodes 2000 }
 .Ed
 .Pp
 .It Ar set optimization
@@ -420,6 +434,24 @@ For example:
 .Bd -literal -offset indent
 set block-policy return
 .Ed
+.It Ar set state-policy
+The
+.Ar state-policy
+option sets the default behaviour for states:
+.Pp
+.Bl -tag -width group-bound -compact
+.It Ar if-bound
+States are bound to interface.
+.It Ar group-bound
+States are bound to interface group (i.e. ppp)
+.It Ar floating
+States can match packets on any interfaces (the default).
+.El
+.Pp
+For example:
+.Bd -literal -offset indent
+set state-policy if-bound
+.Ed
 .It Ar set require-order
 By default
 .Xr pfctl 8
@@ -450,6 +482,22 @@ ruleset finishes loading.
 For example:
 .Pp
 .Dl set fingerprints \&"/etc/pf.os.devel\&"
+.Pp
+.It Ar set debug
+Set the debug
+.Ar level
+to one of the following:
+.Pp
+.Bl -tag -width xxxxxxxxxxxx -compact
+.It Ar none
+Don't generate debug messages.
+.It Ar urgent
+Generate debug messages only for serious errors.
+.It Ar misc
+Generate debug messages for various errors.
+.It Ar loud
+Generate debug messages for common conditions.
+.El
 .El
 .Sh TRAFFIC NORMALIZATION
 Traffic normalization is used to sanitize packet content in such
@@ -1092,15 +1140,17 @@ are specified, the rule will match packets in both directions.
 .It Ar log
 In addition to the action specified, a log message is generated.
 All packets for that connection are logged, unless the
-.Ar keep state
-or
+.Ar keep state ,
 .Ar modulate state
+or
+.Ar synproxy state
 options are specified, in which case only the
 packet that establishes the state is logged.
 (See
-.Ar keep state
-and
+.Ar keep state ,
 .Ar modulate state
+and
+.Ar synproxy state
 below).
 The logged packets are sent to the
 .Xr pflog 4
@@ -1114,9 +1164,10 @@ in
 binary format.
 .It Ar log-all
 Used with
-.Ar keep state
-or
+.Ar keep state ,
 .Ar modulate state
+or
+.Ar synproxy state
 rules to force logging of all packets for a connection.
 As with
 .Ar log ,
@@ -1131,6 +1182,8 @@ is skipped.
 .It Ar on <interface>
 This rule applies only to packets coming in on, or going out through, this
 particular interface.
+It is also possible to simply give the interface driver name, like ppp or fxp,
+to make the rule match packets flowing through a group of interfaces.
 .It Ar <af>
 This rule applies only to packets of this address family.
 Supported values are
@@ -1175,14 +1228,24 @@ Interface names can have modifiers appended:
 Translates to the network(s) attached to the interface.
 .It Ar :broadcast
 Translates to the interface's broadcast address(es).
+.It Ar :peer
+Translates to the point to point interface's peer address(es).
+.It Ar :0
+Do not include interface aliases.
 .El
 .Pp
+Host names may also have the
+.Ar :0
+option appended to restrict the name resolution to the first of each
+v4 and v6 address found.
+.Pp
 Host name resolution and interface to address translation are done at
 ruleset load-time.
 When the address of an interface (or host name) changes (under DHCP or PPP,
 for instance), the ruleset must be reloaded for the change to be reflected
 in the kernel.
-Surrounding the interface name in parentheses changes this behaviour.
+Surrounding the interface name (and optional modifiers) in parentheses
+changes this behaviour.
 When the interface name is surrounded by parentheses, the rule is
 automatically updated whenever the interface changes its address.
 The ruleset does not need to be reloaded.
@@ -1205,15 +1268,19 @@ Ports and ranges of ports are specified by using these operators:
 <=	(less than or equal)
 >	(greater than)
 >=	(greater than or equal)
-><	(range)
+:	(range including boundaries)
+><	(range excluding boundaries)
 <>	(except range)
 .Ed
 .Pp
->< and <>
-are binary operators (they take two arguments), and the range
-does not include the limits.
+><, <> and :
+are binary operators (they take two arguments).
 For instance:
 .Bl -tag -width Fl
+.It Ar port 2000:2004
+means
+.Sq all ports >= 2000 and <= 2004 ,
+hence ports 2000, 2001, 2002, 2003 and 2004.
 .It Ar port 2000 >< 2004
 means
 .Sq all ports > 2000 and < 2004 ,
@@ -1421,13 +1488,17 @@ A packet is only ever assigned one tag at a time.
 rules that use the
 .Ar tag
 keyword must also use
-.Ar keep state .
+.Ar keep state ,
+.Ar modulate state
+or
+.Ar synproxy state .
 Packet tagging can be done during
 .Ar nat ,
 .Ar rdr ,
 or
 .Ar binat
 rules in addition to filter rules.
+Tags take the same macros as labels (see above).
 .It Ar tagged <string>
 Used with filter rules to specify that packets must already
 be tagged with the given tag in order to match the rule.
@@ -1533,6 +1604,23 @@ option prevents
 .Xr pf 4
 from modifying the source port on TCP and UDP packets.
 .El
+.Pp
+Additionally, the
+.Ar sticky-address
+option can be specified to help ensure that multiple connections from the
+same source are mapped to the same redirection address.
+This option can be used with the
+.Ar random
+and
+.Ar round-robin
+pool options.
+Note that by default these associations are destroyed as soon as there are
+no longer states which refer to them; in order to make the mappings last
+beyond the lifetime of the states, increase the global options with
+.Ar set timeout source-track
+See
+.Sx STATEFUL TRACKING OPTIONS
+for more ways to control the source tracking.
 .Sh STATEFUL INSPECTION
 .Xr pf 4
 is a stateful packet filter, which means it can track the state of
@@ -1579,6 +1667,37 @@ The initial packet of each connection has the SYN
 flag set, will be passed and creates state.
 All further packets of these connections are passed if they match a state.
 .Pp
+By default, packets coming in and out of any interface can match a state,
+but it is also possible to change that behaviour by assigning states to a
+single interface or a group of interfaces.
+.Pp
+The default policy is specified by the
+.Ar state-policy
+global option, but this can be adjusted on a per-rule basis by adding one
+of the
+.Ar if-bound ,
+.Ar group-bound
+or
+.Ar floating
+keywords to the
+.Ar keep state
+option.
+For example, if a rule is defined as:
+.Bd -literal -offset indent
+pass out on ppp from any to 10.12/16 keep state (group-bound)
+.Ed
+.Pp
+A state created on ppp0 would match packets an all PPP interfaces,
+but not packets flowing through fxp0 or any other interface.
+.Pp
+Keeping rules
+.Ar floating
+is the more flexible option when the firewall is in a dynamic routing
+environment.
+However, this has some security implications since a state created by one
+trusted network could allow potentially hostile packets coming in from other
+interfaces.
+.Pp
 Specifying
 .Ar flags S/SA
 restricts state creation to the initial SYN
@@ -1695,7 +1814,7 @@ handshake.
 The proxy is transparent to both endpoints, they each see a single
 connection from/to the other endpoint.
 .Xr pf 4
-choses random initial sequence numbers for both handshakes.
+chooses random initial sequence numbers for both handshakes.
 Once the handshakes are completed, the sequence number modulators
 (see previous section) are used to translate further packets of the
 connection.
@@ -1730,8 +1849,26 @@ support the following options:
 Limits the number of concurrent states the rule may create.
 When this limit is reached, further packets matching the rule that would
 create state are dropped, until existing states time out.
+.It Ar no-sync
+Prevent state changes for states created by this rule from appearing on the
+.Xr pfsync 4
+interface.
 .It Ar <timeout> <seconds>
 Changes the timeout values used for states created by this rule.
+.Pp
+When the
+.Ar source-track
+keyword is specified, the number of states per source IP is tracked.
+The following limits can be set:
+.Pp
+.Bl  -tag -width xxxx -compact
+.It Ar max-src-nodes
+Limits the maximum number of source addresses which can simultaneously
+have state table entries.
+.It Ar max-src-states
+Limits the maximum number of simultaneous state entries that a single
+source address can create with this rule.
+.El
 For a list of all valid timeout names, see
 .Sx OPTIONS
 above.
@@ -1740,7 +1877,8 @@ Multiple options can be specified, separated by commas:
 .Bd -literal
 pass in proto tcp from any to any \e
       port www flags S/SA keep state \e
-      (max 100, tcp.established 60, tcp.closing 5)
+      (max 100, source-track rule, max-src-nodes 75, \e
+      max-src-states 3, tcp.established 60, tcp.closing 5)
 .Ed
 .El
 .Sh OPERATING SYSTEM FINGERPRINTING
@@ -1853,7 +1991,7 @@ to local addresses.
 One should pass these explicitly.
 .Sh FRAGMENT HANDLING
 The size of IP datagrams (packets) can be significantly larger than the
-the maximum transmission unit (MTU) of the network.
+maximum transmission unit (MTU) of the network.
 In cases when it is necessary or more efficient to send such large packets,
 the large packet will be fragmented into many smaller packets that will each
 fit onto the wire.
@@ -2027,7 +2165,7 @@ rule after the
 rule:
 .Bd -literal -offset indent
 anchor spam
-load anchor spam:manual from /etc/pf-spam.conf
+load anchor spam:manual from "/etc/pf-spam.conf"
 .Ed
 .Pp
 When
@@ -2072,8 +2210,11 @@ This example maps incoming requests on port 80 to port 8080, on
 which a daemon is running (because, for example, it is not run as root,
 and therefore lacks permission to bind to port 80).
 .Bd -literal
+# use a macro for the interface name, so it can be changed easily
+ext_if = \&"ne3\&"
+
 # map daemon on 8080 to appear to be on 80
-rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
+rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
 .Ed
 .Pp
 If the
@@ -2081,7 +2222,8 @@ If the
 modifier is given, packets matching the translation rule are passed without
 inspecting the filter rules:
 .Bd -literal
-rdr pass on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
+rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
+      port 8080
 .Ed
 .Pp
 In the example below, vlan12 is configured as 192.168.168.1;
@@ -2096,83 +2238,80 @@ for the nodes on vlan12.
 nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
 .Ed
 .Pp
-In the example below, fxp1 is the outside interface; the machine sits between a
-fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100.
+In the example below, the machine sits between a fake internal 144.19.74.*
+network, and a routable external IP of 204.92.77.100.
 The
 .Ar no nat
 rule excludes protocol AH from being translated.
 .Bd -literal
 # NO NAT
-no nat on fxp1 proto ah from 144.19.74.0/24 to any
-nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100
+no nat on $ext_if proto ah from 144.19.74.0/24 to any
+nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
 .Ed
 .Pp
-In the example below, fxp0 is the internal interface.
-Packets bound
-for one specific server, as well as those generated by the sysadmins
-are not proxied; all other connections are.
+In the example below, packets bound for one specific server, as well as those
+generated by the sysadmins are not proxied; all other connections are.
 .Bd -literal
 # NO RDR
-no rdr on fxp0 proto { tcp, udp } from any to $server port 80
-no rdr on fxp0 proto { tcp, udp } from $sysadmins to any port 80
-rdr on fxp0 proto { tcp, udp } from any to any port 80 -> 127.0.0.1 port 80
+no rdr on $int_if proto { tcp, udp } from any to $server port 80
+no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
+rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
+      port 80
 .Ed
 .Pp
 This longer example uses both a NAT and a redirection.
-Interface kue0 is the outside interface, and its external address is
-157.161.48.183.
-Interface fxp0 is the inside interface, and we are running
+The external interface has the address 157.161.48.183.
+On the internal interface, we are running
 .Xr ftp-proxy 8 ,
 listening for outbound ftp sessions captured to port 8021.
 .Bd -literal
 # NAT
 # Translate outgoing packets' source addresses (any protocol).
 # In this case, any address but the gateway's external address is mapped.
-nat on kue0 inet from ! (kue0) to any -> (kue0)
+nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
 
 # NAT PROXYING
 # Map outgoing packets' source port to an assigned proxy port instead of
 # an arbitrary port.
 # In this case, proxy outgoing isakmp with port 500 on the gateway.
-nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \e
+nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
       port 500
 
 # BINAT
 # Translate outgoing packets' source address (any protocol).
 # Translate incoming packets' destination address to an internal machine
 # (bidirectional).
-binat on kue0 from 10.1.2.150 to any -> (kue0)
+binat on $ext_if from 10.1.2.150 to any -> ($ext_if)
 
 # RDR
 # Translate incoming packets' destination addresses.
 # As an example, redirect a TCP and UDP port to an internal machine.
-rdr on kue0 inet proto tcp from any to (kue0) port 8080 -> 10.1.2.151 \e
-      port 22
-rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \e
-      port 53
+rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
+      -> 10.1.2.151 port 22
+rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
+      -> 10.1.2.151 port 53
 
 # RDR
 # Translate outgoing ftp control connections to send them to localhost
 # for proxying with ftp-proxy(8) running on port 8021.
-rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
 .Ed
 .Pp
 In this example, a NAT gateway is set up to translate internal addresses
 using a pool of public addresses (192.0.2.16/28) and to redirect
 incoming web server connections to a group of web servers on the internal
 network.
-Interface fxp0 is the external interface.
 .Bd -literal
 # NAT LOAD BALANCE
 # Translate outgoing packets' source addresses using an address pool.
 # A given source address is always translated to the same pool address by
 # using the source-hash keyword.
-nat on fxp0 inet from any to any -> 192.0.2.16/28 source-hash
+nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
 
 # RDR ROUND ROBIN
 # Translate incoming web server connections to a group of web servers on
 # the internal network.
-rdr on fxp0 proto tcp from any to any port 80 \e
+rdr on $ext_if proto tcp from any to any port 80 \e
       -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
 .Ed
 .Sh FILTER EXAMPLES
@@ -2283,8 +2422,11 @@ option         = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
                  [ "limit" ( limit-item | "{" limit-list "}" ) ] |
                  [ "loginterface" ( interface-name | "none" ) ] |
                  [ "block-policy" ( "drop" | "return" ) ] |
+		 [ "state-policy" ( "if-bound" | "group-bound" |
+                 "floating" ) ]
                  [ "require-order" ( "yes" | "no" ) ]
-                 [ "fingerprints" filename ] )
+                 [ "fingerprints" filename ] |
+                 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] )
 
 pf-rule        = action [ ( "in" | "out" ) ]
                  [ "log" | "log-all" ] [ "quick" ]
@@ -2299,7 +2441,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type | tos |
                  "max-mss" number | "random-id" | "reassemble tcp" |
                  fragmentation | "allow-opts" |
                  "label" string | "tag" string | [ ! ] "tagged" string
-                 "queue" "(" string | ( string [ [ "," ] string ] ) ")"
+                 "queue" ( string | "(" string [ [ "," ] string ] ")" )
 
 nat-rule       = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ]
@@ -2341,7 +2483,7 @@ anchor-rule    = "anchor" string [ ( "in" | "out" ) ] [ "on" ifspec ]
 trans-anchors  = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
                  [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ]
 
-load-anchor    = "load" anchorname:rulesetname "from" filename
+load-anchor    = "load anchor" anchorname:rulesetname "from" filename
 
 queueopts-list = queueopts-list queueopts | queueopts
 queueopts      = [ "bandwidth" bandwidth-spec ] |
@@ -2350,7 +2492,7 @@ queueopts      = [ "bandwidth" bandwidth-spec ] |
 schedulers     = ( cbq-def | priq-def | hfsc-def )
 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
 
-action         = "pass" | "block" [ "return" ] | "scrub"
+action         = "pass" | "block" [ return ] | "scrub"
 return         = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
                  "return-icmp" [ "(" icmpcode ["," icmp6code ] ")" ] |
                  "return-icmp6" [ "(" icmp6code ")" ]
@@ -2413,7 +2555,10 @@ tos            = "tos" ( "lowdelay" | "throughput" | "reliability" |
                  [ "0x" ] number )
 
 state-opts     = state-opt [ [ "," ] state-opts ]
-state-opt      = ( "max" number ) | ( timeout )
+state-opt      = ( "max" number | "no-sync" | timeout |
+                 "source-track" [ ( "rule" | "global" ) ] |
+		 "max-src-nodes" number | "max-src-states" number |
+                 "if-bound" | "group-bound" | "floating" )
 
 fragmentation  = [ "fragment reassemble" | "fragment crop" |
                  "fragment drop-ovl" ]
@@ -2424,15 +2569,15 @@ timeout        = ( "tcp.first" | "tcp.opening" | "tcp.established" |
                  "udp.first" | "udp.single" | "udp.multiple" |
                  "icmp.first" | "icmp.error" |
                  "other.first" | "other.single" | "other.multiple" |
-                 "frag" | "interval" |
+                 "frag" | "interval" | "src.track" |
                  "adaptive.start" | "adaptive.end" ) number
 
 limit-list     = limit-item [ [ "," ] limit-list ]
-limit-item     = ( "states" | "frags" ) number
+limit-item     = ( "states" | "frags" | "src-nodes" ) number
 
 pooltype       = ( "bitmask" | "random" |
                  "source-hash" [ ( hex-key | string-key ) ] |
-                 "round-robin" )
+                 "round-robin" ) [ sticky-address ]
 
 subqueue       = string | "{" queue-list "}"
 queue-list     = string [ [ "," ] string ]
@@ -2470,6 +2615,7 @@ Example rulesets.
 .Xr ip 4 ,
 .Xr ip6 4 ,
 .Xr pf 4 ,
+.Xr pfsync 4 ,
 .Xr tcp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
diff --git a/contrib/pf/man/pf.os.5 b/contrib/pf/man/pf.os.5
index 485f69a..9978174 100644
--- a/contrib/pf/man/pf.os.5
+++ b/contrib/pf/man/pf.os.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.os.5,v 1.4 2003/08/28 09:41:23 jmc Exp $
+.\"	$OpenBSD: pf.os.5,v 1.5 2003/10/25 07:55:27 jmc Exp $
 .\"
 .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
 .\"
@@ -77,7 +77,7 @@ Allow any window size which is a multiple of the maximum transmission unit
 The
 .Ar ttl
 value is the initial time to live in the IP header.
-The fingerprint code will account for the volatility of the packets's TTL
+The fingerprint code will account for the volatility of the packet's TTL
 as it traverses a network.
 .Pp
 The
diff --git a/contrib/pf/man/pflog.4 b/contrib/pf/man/pflog.4
index eb7a72e..d7bee13 100644
--- a/contrib/pf/man/pflog.4
+++ b/contrib/pf/man/pflog.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflog.4,v 1.4 2003/09/22 04:53:15 jmc Exp $
+.\"	$OpenBSD: pflog.4,v 1.7 2004/03/21 19:47:59 miod Exp $
 .\"
 .\" Copyright (c) 2001 Tobias Weingartner
 .\" All rights reserved.
@@ -30,19 +30,20 @@
 .Nm pflog
 .Nd packet filter logging interface
 .Sh SYNOPSIS
-.Sy pseudo-device Nm pflog Em <number>
+.Cd "pseudo-device pflog"
 .Sh DESCRIPTION
 The
 .Nm pflog
-interface is the interface the packet filter,
-.Xr pf 4 ,
-copies all the packets to which it has been configured to log.
-In this way, all logged packets can easily be monitored in real
+interface is a pseudo-device which makes visible all packets logged by
+the packet filter,
+.Xr pf 4 .
+Logged packets can easily be monitored in real
 time by invoking
 .Xr tcpdump 8
 on the
 .Nm
-interface.
+interface, or stored to disk using
+.Xr pflogd 8 .
 .Pp
 Each packet retrieved on this interface has a header associated
 with it of length
diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4
index 21dd7d5..f7b39df 100644
--- a/contrib/pf/man/pfsync.4
+++ b/contrib/pf/man/pfsync.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pfsync.4,v 1.6 2003/06/06 10:29:41 jmc Exp $
+.\"	$OpenBSD: pfsync.4,v 1.16 2004/03/22 21:04:36 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Michael Shalayeff
 .\" All rights reserved.
@@ -30,19 +30,48 @@
 .Nm pfsync
 .Nd packet filter states table logging interface
 .Sh SYNOPSIS
-.Sy pseudo-device Nm pfsync
+.Cd "pseudo-device pfsync"
 .Sh DESCRIPTION
 The
-.Nm pfsync
-interface is the interface to the packet filter,
-.Xr pf 4 ,
-exposing all the changes to the state table.
-This allows for both debugging of rulesets and monitoring
-for changes in the table by invoking
+.Nm
+interface is a pseudo-device which exposes certain changes to the state
+table used by
+.Xr pf 4 .
+State changes can be viewed by invoking
 .Xr tcpdump 8
 on the
 .Nm
 interface.
+If configured with a physical synchronisation interface,
+.Nm
+will also send state changes out on that interface using IP multicast,
+and insert state changes received on that interface from other systems
+into the state table.
+.Pp
+By default, all local changes to the state table are exposed via
+.Nm .
+However, state changes from packets received by
+.Nm
+over the network are not rebroadcast.
+States created by a rule marked with the
+.Ar no-sync
+keyword are omitted from the
+.Nm
+interface (see
+.Xr pf.conf 5
+for details).
+.Pp
+The
+.Nm
+interface will attempt to collapse multiple updates of the same
+state into one message where possible.
+The maximum number of times this can be done before the update is sent out
+is controlled by the
+.Ar maxupd
+to ifconfig.
+(see
+.Xr ifconfig 8
+and the example below for more details)
 .Pp
 Each packet retrieved on this interface has a header associated
 with it of length
@@ -61,16 +90,133 @@ struct pfsync_header {
 	u_int8_t count;
 };
 .Ed
+.Sh NETWORK SYNCHRONISATION
+States can be synchronised between two or more firewalls using this
+interface, by specifying a synchronisation interface using
+.Xr ifconfig 8 .
+For example, the following command sets fxp0 as the synchronisation
+interface.
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncif fxp0
+.Ed
+.Pp
+State change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group
+used is 224.0.0.240.
+.Pp
+It is important that the synchronisation interface be on a trusted
+network as there is no authentication on the protocol and it would
+be trivial to spoof packets which create states, bypassing the pf ruleset.
+Ideally, this is a network dedicated to pfsync messages,
+i.e. a crossover cable between two firewalls.
+.Pp
+There is a one-to-one correspondence between packets seen by
+.Xr bpf 4
+on the
+.Nm
+interface, and packets sent out on the synchronisation interface, i.e.\&
+a packet with 4 state deletion messages on
+.Nm
+means that the same 4 deletions were sent out on the synchronisation
+interface.
+However, the actual packet contents may differ as the messages
+sent over the network are "compressed" where possible, containing
+only the necessary information.
 .Sh EXAMPLES
+.Nm
+and
+.Xr carp 4
+can be used together to provide automatic failover of a pair of firewalls
+configured in parallel.
+One firewall handles all traffic \- if it dies or
+is shut down, the second firewall takes over automatically.
+.Pp
+Both firewalls in this example have three
+.Xr sis 4
+interfaces.
+sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the
+internal interface, on the 192.168.0.0/24 subnet, and sis2 is the
+.Nm
+interface, using the 192.168.254.0/24 subnet.
+A crossover cable connects the two firewalls via their sis2 interfaces.
+On all three interfaces, firewall A uses the .254 address, while firewall B
+uses .253.
+The interfaces are configured as follows (firewall A unless otherwise
+indicated):
+.Pp
+.Pa /etc/hostname.sis0 :
+.Bd -literal -offset indent
+inet 10.0.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis1 :
+.Bd -literal -offset indent
+inet 192.168.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis2 :
+.Bd -literal -offset indent
+inet 192.168.254.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.carp0 :
+.Bd -literal -offset indent
+inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
+.Ed
+.Pp
+.Pa /etc/hostname.carp1 :
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
+.Ed
+.Pp
+.Pa /etc/hostname.pfsync0 :
+.Bd -literal -offset indent
+up syncif sis2
+.Ed
+.Pp
+.Xr pf 4
+must also be configured to allow
+.Nm
+and
+.Xr carp 4
+traffic through.
+The following should be added to the top of
+.Pa /etc/pf.conf :
+.Bd -literal -offset indent
+pass quick on { sis2 } proto pfsync
+pass on { sis0 sis1 } proto carp keep state
+.Ed
+.Pp
+If it is preferable that one firewall handle the traffic,
+the
+.Ar advskew
+on the backup firewall's
+.Xr carp 4
+interfaces should be set to something higher than
+the primary's.
+For example, if firewall B is the backup, its
+.Pa /etc/hostname.carp1
+would look like this:
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
+	advskew 100
+.Ed
+.Pp
+The following must also be added to
+.Pa /etc/sysctl.conf :
 .Bd -literal -offset indent
-# ifconfig pfsync0 up
-# tcpdump -s1500 -evtni pfsync0
+net.inet.carp.preempt=1
 .Ed
 .Sh SEE ALSO
+.Xr bpf 4 ,
 .Xr inet 4 ,
 .Xr inet6 4 ,
 .Xr netintro 4 ,
 .Xr pf 4 ,
+.Xr hostname.if 5 ,
+.Xr pf.conf 5 ,
+.Xr protocols 5 ,
 .Xr ifconfig 8 ,
 .Xr tcpdump 8
 .Sh HISTORY