diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 99d3a9c58cb..0f9badd08a0 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -186,6 +186,10 @@ ipfw_nat_cfg_t *ipfw_nat_del_ptr;
 ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
 ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
 
+VNET_DEFINE(ipfw_hook_t, hook_state) = NULL;
+VNET_DEFINE(ipfw_hook_t, sync_state) = NULL;
+VNET_DEFINE(ipfw_hook_t, sync_alias) = NULL;
+
 #ifdef SYSCTL_NODE
 uint32_t dummy_def = IPFW_DEFAULT_RULE;
 static int sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS);
@@ -2866,6 +2870,9 @@ do {								\
 				if (cmd->opcode == O_CHECK_STATE)
 					l = 0;	/* exit inner loop */
 				match = 1;
+
+				if (cmd->opcode == O_CHECK_STATE && V_sync_state)
+					V_sync_state(NULL, NULL);
 				break;
 
 			case O_SKIP_ACTION:
@@ -3200,6 +3207,9 @@ do {								\
 				 * non IPv4 packets. Libalias expects only IPv4.
 				 */
 				if (!is_ipv4 || !IPFW_NAT_LOADED) {
+					/* purge waiting aliases for sync */
+					if (V_sync_alias)
+						V_sync_alias(NULL, NULL);
 				    retval = IP_FW_DENY;
 				    break;
 				}