Contributed by jose on from the sync-sync-sync dept.
"CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2003/12/15 00:11:31 Modified files: sbin/ifconfig : ifconfig.c sbin/pfctl : parse.y pf_print_state.c pfctl.c pfctl_parser.c pfctl_parser.h sys/net : if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pfvar.h sys/netinet : in.h in_proto.c usr.bin/netstat: inet.c main.c netstat.h usr.sbin/authpf: authpf.c usr.sbin/tcpdump: interface.h print-ip.c print-pfsync.c Log message: Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@ "Several people wrote about this, because this looks super cool.
(Comments are closed)