On Thu, 19 Apr 2007, Charlie Allom wrote:

> I am looking for the reasoning behind *not* importing pfsync into 
> NetBSD..
> 
> FreeBSD, OpenBSD & DragonFlyBSD are currently the only platforms I can 
> deploy redundant pf(4) & carp(4) firewalls with. This is a sad state of 
> affairs for NetBSD imo.
> 
> Can anyone answer?

The http://www.netbsd.org/Documentation/network/pf.html webpage (and [1]) 
says: "pfsync(4) is not supported (due to protocol number assignment 
issues). This will hopefully be solved in a future release."

I don't know when that protocol number assignment issue will be resolved.

Some details about this is documented in the OpenBSD lyrics page at 
http://www.openbsd.org/lyrics.html#35 (search for "request was denied").

OpenBSD and FreeBSD use (for /etc/protocols):

pfsync  240     PFSYNC          # PF Synchronization

which is apparently in the unassigned range.

I recall CARP had same issue, but that got committed. NetBSD's 
/etc/services has:

carp    112     CARP    vrrp    # Virtual Router Redundancy Protocol

Can you port over the OpenBSD pfsync code so we can test your patches? 
(Also see FreeBSD's pfsync code so you can see their ifdefs.)

  Jeremy C. Reed

[1]
<shameless plug> 
http://www.amazon.com/OpenBSD-PF-Packet-Filter-Book/dp/0979034205
</shameless plug>