diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile
--- a/sbin/ipf/Makefile
+++ b/sbin/ipf/Makefile
@@ -1,5 +1,10 @@
+.include <src.opts.mk>
+
 SUBDIR=		libipf .WAIT
-SUBDIR+=	ipf ipfs ipfstat ipmon ipnat ippool
+SUBDIR+=	ipf ipfstat ipmon ipnat ippool
+.if ${MK_IPFS} != "no"
+SUBDIR+=	ipfs
+.endif
 # XXX Temporarily disconnected.
 # SUBDIR+=	ipftest ipresend ipsend
 SUBDIR_PARALLEL=
diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@@ -209,6 +209,7 @@
     DTRACE_TESTS \
     EXPERIMENTAL \
     HESIOD \
+    IPFS \
     LOADER_VERBOSE \
     LOADER_VERIEXEC_PASS_MANIFEST \
     LLVM_FULL_DEBUGINFO \
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1046,6 +1046,7 @@
 options 	IPFILTER_LOG		#ipfilter logging
 options 	IPFILTER_LOOKUP		#ipfilter pools
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
+options		ENABLE_IPFS		#enable experimental ipfs(8) support
 options 	IPSTEALTH		#support for stealth forwarding
 options 	PF_DEFAULT_TO_DROP	#drop everything by default
 options 	TCP_BLACKBOX
diff --git a/sys/conf/options b/sys/conf/options
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -106,6 +106,7 @@
 DEADLKRES	opt_watchdog.h
 EXPERIMENTAL	opt_global.h
 DIRECTIO
+ENABLE_IPFS
 FFCLOCK
 FULL_PREEMPTION	opt_sched.h
 GZIO		opt_gzio.h
diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile
--- a/sys/modules/ipfilter/Makefile
+++ b/sys/modules/ipfilter/Makefile
@@ -1,3 +1,5 @@
+.include <src.opts.mk>
+
 .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet
 
 KMOD=	ipl
@@ -9,6 +11,11 @@
 
 CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter
 CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP
+
+.if ${MK_IPFS} != "no"
+CFLAGS+= -DENABLE_IPFS
+.endif
+
 #
 # If you don't want log functionality remove -DIPFILTER_LOG
 #
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1354,6 +1354,7 @@
 		error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);
 		break;
 
+#ifdef ENABLE_IPFS
 	case SIOCSTLCK :
 		if (!(mode & FWRITE)) {
 			IPFERROR(60015);
@@ -1389,6 +1390,7 @@
 			error = EACCES;
 		}
 		break;
+#endif
 
 	case SIOCGENITER :
 	    {
@@ -1696,7 +1698,7 @@
 	}
 }
 
-
+#ifdef ENABLE_IPFS
 /* ------------------------------------------------------------------------ */
 /* Function:    ipf_nat_getsz                                               */
 /* Returns:     int - 0 == success, != 0 is the error value.                */
@@ -2264,6 +2266,7 @@
 	}
 	return (error);
 }
+#endif /* ENABLE_IPFS */
 
 
 /* ------------------------------------------------------------------------ */
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -2627,6 +2627,10 @@
 OLD_FILES+=usr/share/man/man8/ippool.8.gz
 .endif
 
+.if ${MK_IPFS} == no
+OLD_FILES+=sbin/ipfs
+.endif
+
 .if ${MK_IPFW} == no
 OLD_FILES+=etc/rc.d/ipfw
 OLD_FILES+=etc/rc.d/natd