Index: sys/net80211/_ieee80211.h
===================================================================
--- sys/net80211/_ieee80211.h	(revision 269480)
+++ sys/net80211/_ieee80211.h	(working copy)
@@ -84,8 +84,9 @@
 	IEEE80211_M_HOSTAP	= 4,	/* Software Access Point */
 	IEEE80211_M_MONITOR	= 5,	/* Monitor mode */
 	IEEE80211_M_MBSS	= 6,	/* MBSS (Mesh Point) link */
+	IEEE80211_M_INJECT	= 7,	/* Monitor+inject mode */
 };
-#define	IEEE80211_OPMODE_MAX	(IEEE80211_M_MBSS+1)
+#define	IEEE80211_OPMODE_MAX	(IEEE80211_M_INJECT+1)
 
 /*
  * 802.11g/802.11n protection mode.
Index: sys/net80211/ieee80211.c
===================================================================
--- sys/net80211/ieee80211.c	(revision 269480)
+++ sys/net80211/ieee80211.c	(working copy)
@@ -76,9 +76,8 @@
 	[IEEE80211_M_AHDEMO]	= IEEE80211_C_AHDEMO,
 	[IEEE80211_M_HOSTAP]	= IEEE80211_C_HOSTAP,
 	[IEEE80211_M_MONITOR]	= IEEE80211_C_MONITOR,
-#ifdef IEEE80211_SUPPORT_MESH
 	[IEEE80211_M_MBSS]	= IEEE80211_C_MBSS,
-#endif
+	[IEEE80211_M_INJECT]	= IEEE80211_C_INJECT,
 };
 
 static const uint8_t ieee80211broadcastaddr[IEEE80211_ADDR_LEN] =
@@ -691,7 +690,8 @@
 			 * drivers don't need to special-case it
 			 */
 			if (flag == IFF_PROMISC &&
-			    !(vap->iv_opmode == IEEE80211_M_MONITOR ||
+			    !((vap->iv_opmode == IEEE80211_M_MONITOR ||
+			       vap->iv_opmode == IEEE80211_M_INJECT) ||
 			      (vap->iv_opmode == IEEE80211_M_AHDEMO &&
 			       (vap->iv_caps & IEEE80211_C_TDMA) == 0)))
 				continue;
@@ -1034,6 +1034,8 @@
 		ADD(media, mword, mopt | IFM_IEEE80211_WDS);
 	if (caps & IEEE80211_C_MBSS)
 		ADD(media, mword, mopt | IFM_IEEE80211_MBSS);
+	if (caps & IEEE80211_C_INJECT)
+		ADD(media, mword, mopt | IFM_IEEE80211_INJECT);
 #undef ADD
 }
 
@@ -1351,6 +1353,9 @@
 	case IEEE80211_M_MBSS:
 		status |= IFM_IEEE80211_MBSS;
 		break;
+	case IEEE80211_M_INJECT:
+		status |= IFM_IEEE80211_INJECT;
+		break;
 	}
 	if (IEEE80211_IS_CHAN_HTA(chan)) {
 		status |= IFM_IEEE80211_11NA;
Index: sys/net80211/ieee80211_freebsd.c
===================================================================
--- sys/net80211/ieee80211_freebsd.c	(revision 269480)
+++ sys/net80211/ieee80211_freebsd.c	(working copy)
@@ -822,11 +822,13 @@
 		 */
 		if (attach) {
 			ieee80211_syncflag_ext(vap, IEEE80211_FEXT_BPF);
-			if (vap->iv_opmode == IEEE80211_M_MONITOR)
+			if (vap->iv_opmode == IEEE80211_M_MONITOR ||
+			    vap->iv_opmode == IEEE80211_M_INJECT)
 				atomic_add_int(&vap->iv_ic->ic_montaps, 1);
 		} else if (!bpf_peers_present(vap->iv_rawbpf)) {
 			ieee80211_syncflag_ext(vap, -IEEE80211_FEXT_BPF);
-			if (vap->iv_opmode == IEEE80211_M_MONITOR)
+			if (vap->iv_opmode == IEEE80211_M_MONITOR ||
+			    vap->iv_opmode == IEEE80211_M_INJECT)
 				atomic_subtract_int(&vap->iv_ic->ic_montaps, 1);
 		}
 	}
Index: sys/net80211/ieee80211_ioctl.c
===================================================================
--- sys/net80211/ieee80211_ioctl.c	(revision 269480)
+++ sys/net80211/ieee80211_ioctl.c	(working copy)
@@ -1956,7 +1956,8 @@
 	vap->iv_des_chan = c;
 
 	error = 0;
-	if (vap->iv_opmode == IEEE80211_M_MONITOR &&
+	if ((vap->iv_opmode == IEEE80211_M_MONITOR ||
+	    vap->iv_opmode == IEEE80211_M_INJECT) &&
 	    vap->iv_des_chan != IEEE80211_CHAN_ANYC) {
 		/*
 		 * Monitor mode can switch directly.
Index: sys/net80211/ieee80211_monitor.c
===================================================================
--- sys/net80211/ieee80211_monitor.c	(revision 269480)
+++ sys/net80211/ieee80211_monitor.c	(working copy)
@@ -67,6 +67,7 @@
 ieee80211_monitor_attach(struct ieee80211com *ic)
 {
 	ic->ic_vattach[IEEE80211_M_MONITOR] = monitor_vattach;
+	ic->ic_vattach[IEEE80211_M_INJECT] = monitor_vattach;
 }
 
 void
Index: sys/net80211/ieee80211_node.c
===================================================================
--- sys/net80211/ieee80211_node.c	(revision 269480)
+++ sys/net80211/ieee80211_node.c	(working copy)
@@ -1701,7 +1701,8 @@
 
 	if (ni == NULL) {
 		if (vap->iv_opmode == IEEE80211_M_IBSS ||
-		    vap->iv_opmode == IEEE80211_M_AHDEMO) {
+		    vap->iv_opmode == IEEE80211_M_AHDEMO ||
+		    vap->iv_opmode == IEEE80211_M_INJECT) {
 			/*
 			 * In adhoc mode cons up a node for the destination.
 			 * Note that we need an additional reference for the
Index: sys/net80211/ieee80211_output.c
===================================================================
--- sys/net80211/ieee80211_output.c	(revision 269480)
+++ sys/net80211/ieee80211_output.c	(working copy)
@@ -711,6 +711,7 @@
 #endif
 			break;
 		case IEEE80211_M_MONITOR:	/* NB: to quiet compiler */
+		case IEEE80211_M_INJECT:	/* NB: to quiet compiler */
 			break;
 		}
 	} else {
Index: sys/net80211/ieee80211_proto.c
===================================================================
--- sys/net80211/ieee80211_proto.c	(revision 269480)
+++ sys/net80211/ieee80211_proto.c	(working copy)
@@ -81,6 +81,7 @@
 	"HOSTAP",	/* IEEE80211_M_HOSTAP */
 	"MONITOR",	/* IEEE80211_M_MONITOR */
 	"MBSS"		/* IEEE80211_M_MBSS */
+	"INJECT"	/* IEEE80211_M_INJECT */
 };
 const char *ieee80211_state_name[IEEE80211_S_MAX] = {
 	"INIT",		/* IEEE80211_S_INIT */
@@ -1292,6 +1293,7 @@
 			 */
 			vap->iv_flags_ext |= IEEE80211_FEXT_REINIT;
 			if (vap->iv_opmode == IEEE80211_M_MONITOR ||
+			    vap->iv_opmode == IEEE80211_M_INJECT ||
 			    vap->iv_opmode == IEEE80211_M_WDS)
 				ieee80211_new_state_locked(vap,
 				    IEEE80211_S_RUN, -1);
Index: sys/net80211/ieee80211_radiotap.c
===================================================================
--- sys/net80211/ieee80211_radiotap.c	(revision 269480)
+++ sys/net80211/ieee80211_radiotap.c	(working copy)
@@ -194,7 +194,8 @@
 
 	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
 		if (vap != vap0 &&
-		    vap->iv_opmode == IEEE80211_M_MONITOR &&
+		    (vap->iv_opmode == IEEE80211_M_MONITOR ||
+		    vap->iv_opmode == IEEE80211_M_INJECT) &&
 		    (vap->iv_flags_ext & IEEE80211_FEXT_BPF) &&
 		    vap->iv_state != IEEE80211_S_INIT)
 			bpf_mtap2(vap->iv_rawbpf, rh, len, m);
Index: sys/net80211/ieee80211_scan.c
===================================================================
--- sys/net80211/ieee80211_scan.c	(revision 269480)
+++ sys/net80211/ieee80211_scan.c	(working copy)
@@ -211,6 +211,7 @@
 	"wlan_scan_ap",		/* IEEE80211_M_HOSTAP */
 	"wlan_scan_monitor",	/* IEEE80211_M_MONITOR */
 	"wlan_scan_sta",	/* IEEE80211_M_MBSS */
+	"wlan_scan_inject",	/* IEEE80211_M_INJECT */
 };
 static const struct ieee80211_scanner *scanners[IEEE80211_OPMODE_MAX];
 
Index: sys/net80211/ieee80211_var.h
===================================================================
--- sys/net80211/ieee80211_var.h	(revision 269480)
+++ sys/net80211/ieee80211_var.h	(working copy)
@@ -630,6 +630,7 @@
 #define	IEEE80211_C_DFS		0x00020000	/* CAPABILITY: DFS/radar avail*/
 #define	IEEE80211_C_MBSS	0x00040000	/* CAPABILITY: MBSS available */
 #define	IEEE80211_C_SWSLEEP	0x00080000	/* CAPABILITY: do sleep here */
+#define	IEEE80211_C_INJECT	0x00100000	/* CAPABILITY: injection */
 /* 0x7c0000 available */
 #define	IEEE80211_C_WPA1	0x00800000	/* CAPABILITY: WPA1 avail */
 #define	IEEE80211_C_WPA2	0x01000000	/* CAPABILITY: WPA2 avail */
Index: sys/dev/ath/if_ath.c
===================================================================
--- sys/dev/ath/if_ath.c	(revision 269480)
+++ sys/dev/ath/if_ath.c	(working copy)
@@ -752,6 +752,7 @@
 		| IEEE80211_C_IBSS		/* ibss, nee adhoc, mode */
 		| IEEE80211_C_HOSTAP		/* hostap mode */
 		| IEEE80211_C_MONITOR		/* monitor mode */
+		| IEEE80211_C_INJECT		/* inject mode */
 		| IEEE80211_C_AHDEMO		/* adhoc demo mode */
 		| IEEE80211_C_WDS		/* 4-address traffic works */
 		| IEEE80211_C_MBSS		/* mesh point link mode */
@@ -1380,6 +1381,7 @@
 		/* fall thru... */
 #endif
 	case IEEE80211_M_MONITOR:
+	case IEEE80211_M_INJECT:
 		if (sc->sc_nvaps != 0 && ic->ic_opmode != opmode) {
 			/*
 			 * Adopt existing mode.  Adding a monitor or ahdemo
@@ -1546,6 +1548,7 @@
 		sc->sc_opmode = HAL_M_HOSTAP;
 		break;
 	case IEEE80211_M_MONITOR:
+	case IEEE80211_M_INJECT:
 		sc->sc_opmode = HAL_M_MONITOR;
 		break;
 	default:
@@ -5929,6 +5932,7 @@
 			}
 			break;
 		case IEEE80211_M_MONITOR:
+		case IEEE80211_M_INJECT:
 			/*
 			 * Monitor mode vaps have only INIT->RUN and RUN->RUN
 			 * transitions so we must re-enable interrupts here to
Index: sys/dev/ath/if_ath_rx.c
===================================================================
--- sys/dev/ath/if_ath_rx.c	(revision 269480)
+++ sys/dev/ath/if_ath_rx.c	(working copy)
@@ -164,7 +164,9 @@
 	if (ic->ic_opmode != IEEE80211_M_STA)
 		rfilt |= HAL_RX_FILTER_PROBEREQ;
 	/* XXX ic->ic_monvaps != 0? */
-	if (ic->ic_opmode == IEEE80211_M_MONITOR || (ifp->if_flags & IFF_PROMISC))
+	if (ic->ic_opmode == IEEE80211_M_MONITOR ||
+	    ic->ic_opmode == IEEE80211_M_INJECT ||
+	    (ifp->if_flags & IFF_PROMISC))
 		rfilt |= HAL_RX_FILTER_PROM;
 
 	/*
@@ -208,7 +210,8 @@
 		else
 			rfilt |= HAL_RX_FILTER_PROM;
 	}
-	if (ic->ic_opmode == IEEE80211_M_MONITOR)
+	if (ic->ic_opmode == IEEE80211_M_MONITOR ||
+	    ic->ic_opmode == IEEE80211_M_INJECT)
 		rfilt |= HAL_RX_FILTER_CONTROL;
 
 	/*