There is a reference counting error which breaks pfsync in the 
case where one has default adaptive timeouts enabled in pf.

When states are learnt via the network they are attached to 
pf_default_rule, but the state count for that rule is not 
increased in the current code.

Later on, when that state expires, the number of states attached
to the default rule wraps around, resulting in ~2^32 states being
reported in future calls to pf_state_expires, and pf_state_expires
reporting from then on that all states should expire immediately.

This patch increases the state count before attempting an insert
as per other sections of the pf code, which makes pfsync work on a
system with adaptive timeouts enabled.

Chris Pascoe
2004/07/19

Index: if_pfsync.c
===================================================================
RCS file: /cvs/src/sys/net/if_pfsync.c,v
retrieving revision 1.35
diff -u -r1.35 if_pfsync.c
--- if_pfsync.c	21 Jun 2004 23:50:36 -0000	1.35
+++ if_pfsync.c	19 Jul 2004 10:48:49 -0000
@@ -198,6 +198,8 @@
 	st->rule.ptr = r;
 	/* XXX get pointers to nat_rule and anchor */
 
+	r->states++;
+
 	/* fill in the rest of the state entry */
 	pf_state_host_ntoh(&sp->lan, &st->lan);
 	pf_state_host_ntoh(&sp->gwy, &st->gwy);