--- fwsync/patches/ip_fw_dynamic.patch	2022/08/03 17:10:59	1.2
+++ fwsync/patches/ip_fw_dynamic.patch	2022/08/09 23:42:44	1.3
@@ -1,5 +1,5 @@
 diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c
-index 00b54fa463a..871d7f565fe 100644
+index 00b54fa463a..3a2054aaca4 100644
 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c
 +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
 @@ -1868,6 +1868,7 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
@@ -10,7 +10,7 @@ index 00b54fa463a..871d7f565fe 100644
  
  	MPASS(type == O_LIMIT || type == O_KEEP_STATE);
  
-@@ -1959,6 +1960,15 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
+@@ -1959,6 +1960,17 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
  #endif
  		}
  	}
@@ -20,33 +20,47 @@ index 00b54fa463a..871d7f565fe 100644
 +		edat.ruleid = ruleid;
 +		edat.rulenum = rulenum;
 +		edat.fibnum = fibnum;
++		edat.kidx = kidx;
++		edat.cmdtype = type;
 +		V_hook_state(pkt, &edat);
 +	}
 +
  	/*
  	 * EEXIST means that simultaneous thread has created this
  	 * state. Consider this as success.
-@@ -1970,6 +1980,30 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
- 	return (ret);
+@@ -2783,6 +2795,7 @@ dyn_tick(void *vnetx)
+ #endif
+ 		NET_EPOCH_EXIT(et);
+ 	}
++
+ 	/*
+ 	 * Check if we need to resize the hash:
+ 	 * if current number of states exceeds number of buckets in hash,
+@@ -2816,6 +2829,34 @@ ipfw_expire_dyn_states(struct ip_fw_chain *chain, ipfw_range_tlv *rt)
+ 	dyn_expire_states(chain, rt);
  }
  
 +int
-+ipfw_dyn_install_sync_state(const struct ipfw_flow_id *pkt, void *rule, uint32_t ruleid, uint16_t rulenum)
++ipfw_dyn_install_sync_state(const struct ipfw_flow_id *pkt, void *rule, uint32_t ruleid, 
++		uint16_t rulenum, uint16_t kidx, uint8_t cmdtype)
 +{
 +	int ret = 0;
-+	uint32_t hashval;
++	uint32_t hashval = 0;
 +	struct ipfw_dyn_info info;
 +
 +	DYN_INFO_INIT(&info);
 +
++	printf("%s: pkt=%p rule=%p rid=%u rn=%hu kidx=0x%hx ct=%hhu\n", __func__, 
++			pkt, rule, ruleid, rulenum, kidx, cmdtype);
++
 +	hashval = hash_packet(pkt);
 +	if (IS_IP4_FLOW_ID(pkt))
 +		ret = dyn_add_ipv4_state(rule, ruleid, rulenum, pkt,
-+		    NULL, 0, hashval, &info, pkt->fib, 0, O_KEEP_STATE);
++		    NULL, 0, hashval, &info, pkt->fib, kidx, cmdtype);
 +#ifdef INET6
 +	else if (IS_IP6_FLOW_ID(pkt))
 +		ret = dyn_add_ipv6_state(rule, ruleid, rulenum, pkt,
-+		    pkt->flow_id6, NULL, 0, hashval, &info, pkt->fib, 0, O_KEEP_STATE);
++		    pkt->flow_id6, NULL, 0, hashval, &info, pkt->fib, kidx, cmdtype);
 +#endif /* INET6 */
 +	else
 +		ret = EAFNOSUPPORT;
@@ -55,5 +69,5 @@ index 00b54fa463a..871d7f565fe 100644
 +}
 +
  /*
-  * Install dynamic state.
-  *  chain - ipfw's instance;
+  * Pass through all states and reset eaction for orphaned rules.
+  */