Add a pfsync_syncpeer option to /etc/defaults/rc.conf and rc.conf(5),

which can be used to turn off multicast pfsync support, and enable
the transmission of directed PFSYNC (IP protocol: 240) packets to
a specific "sync peer" host.

PR:		conf/111225
Submitted by:	Bas van Beek <bas@tobin.nl>
Approved by:	mtm, mlaier
MFC after:	2 weeks

etc/defaults/rc.conf

@@ -156,6 +156,7 @@ pflog_program="/sbin/pflogd"	# where the pflogd program lives
 pflog_flags=""			# additional flags for pflogd
 pfsync_enable="NO"		# Expose pf state to other hosts for syncing
 pfsync_syncdev=""		# Interface for pfsync to work through
+pfsync_syncpeer=""		# IP address of pfsync peer host
 pfsync_ifconfig=""		# Additional options to ifconfig(8) for pfsync
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="0"			# >=1 to log connects to ports w/o listeners.

etc/rc.d/pfsync

@@ -36,8 +36,13 @@ pfsync_prestart()
 
 pfsync_start()
 {
+	local _syncpeer
+
 	echo "Enabling pfsync."
-	ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
+	if [ -n "${pfsync_syncpeer}" ]; then
+		_syncpeer="syncpeer ${pfsync_syncpeer}"
+	fi
+	ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
 }
 
 pfsync_stop()

share/man/man5/rc.conf.5

@@ -855,6 +855,26 @@ It must be set accordingly if
 .Va pfsync_enable
 is set to
 .Dq Li YES .
+.It Va pfsync_syncpeer
+.Pq Vt str
+Empty by default.
+This variable is optional.
+By default, state change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group used is
+224.0.0.240.
+When a peer address is specified using the
+.Va pfsync_syncpeer
+option, the peer address is used as a destination for the pfsync
+traffic, and the traffic can then be protected using
+.Xr ipsec 4 .
+See the
+.Xr pfsync 4
+manpage for more details about using
+.Xr ipsec 4
+with
+.Xr pfsync 4
+interfaces.
 .It Va pfsync_ifconfig
 .Pq Vt str
 Empty by default.