DF-0428
pfsync_input has no source/peer authentication: any on-link host can inject/modify/destroy pf state
Summary
pfsync_input(:462-541) is live IPPROTO_PFSYNC(240) handler (in_proto.c:281-288 — stale comment "not yet called" is wrong). Validates only: sync ifp configured(:489), pkt on sync_ifp(:493), TTL==255(:499), version/action(:521,:530). Captures ip_src(:536) for replies but NEVER compares vs configured sc_sync_peer. Even with unicast peer configured (SIOCSETPFSYNC :1076-1080), accepts INS/UPD/DEL/CLR/UPD_C/DEL_C/UREQ/BUS from ANY source. TTL==255 trivially satisfied on-link. pfsyncr_authlevel defined but never enforced. Any on-link host: insert states to bypass firewall(INS), delete states to sever connections(DEL/CLR), corrupt TCP seq window(UPD).