diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c
index 00b54fa463a..871d7f565fe 100644
--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -1868,6 +1868,7 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
 	struct ipfw_flow_id id;
 	uint32_t hashval, parent_hashval, ruleid, rulenum;
 	int ret;
+	struct ipfw_dyn_hook_extdata edat;
 
 	MPASS(type == O_LIMIT || type == O_KEEP_STATE);
 
@@ -1959,6 +1960,15 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
 #endif
 		}
 	}
+
+	if (type == O_KEEP_STATE && !ret && V_hook_state) {
+		memset(&edat, 0, sizeof edat);
+		edat.ruleid = ruleid;
+		edat.rulenum = rulenum;
+		edat.fibnum = fibnum;
+		V_hook_state(pkt, &edat);
+	}
+
 	/*
 	 * EEXIST means that simultaneous thread has created this
 	 * state. Consider this as success.
@@ -1970,6 +1980,30 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid,
 	return (ret);
 }
 
+int
+ipfw_dyn_install_sync_state(const struct ipfw_flow_id *pkt, void *rule, uint32_t ruleid, uint16_t rulenum)
+{
+	int ret = 0;
+	uint32_t hashval;
+	struct ipfw_dyn_info info;
+
+	DYN_INFO_INIT(&info);
+
+	hashval = hash_packet(pkt);
+	if (IS_IP4_FLOW_ID(pkt))
+		ret = dyn_add_ipv4_state(rule, ruleid, rulenum, pkt,
+		    NULL, 0, hashval, &info, pkt->fib, 0, O_KEEP_STATE);
+#ifdef INET6
+	else if (IS_IP6_FLOW_ID(pkt))
+		ret = dyn_add_ipv6_state(rule, ruleid, rulenum, pkt,
+		    pkt->flow_id6, NULL, 0, hashval, &info, pkt->fib, 0, O_KEEP_STATE);
+#endif /* INET6 */
+	else
+		ret = EAFNOSUPPORT;
+
+	return ret;
+}
+
 /*
  * Install dynamic state.
  *  chain - ipfw's instance;