Improving FreeBSD's pf

This a somewhat-complete list of my contributions to FreeBSD. Please note that some commits are not 100% own work as they are backports of OpenBSD code or are collaboration with other FreeBSD developers. Also some bug reports have never been completed or have been superseeded by later work.

Bug reports:

• On state creation src_node is looked up twice.
• route-to rule passes traffic when no targets are specified.
• Route-to rule forwarding traffic inspite of state limit.
• Removing pf Source entries locks kernel.
• IPv6 and synproxy don't play well together

Commits:

• To support upcoming changes change internal API for source node handling...
• The DIOCKILLSRCNODES operation was implemented with O(m*n) complexity, where "m" is number of source nodes and "n" is number of states. Thus, on heavy loaded router its processing consumed a lot of CPU time.
• Count global pf(4) statistics in counter(9).
• Fix synproxy with IPv6. pf_test6() was missing a check for M_SKIP_FIREWALL.
• pf_map_addr() can fail and in this case we should drop the packet, otherwise bad consequences including a routing loop can occur.
• Do not lookup source node twice when pf_map_addr() is used.
• Explicitly free packet on PF_DROP, otherwise a "quick" rule with "route-to" may still forward it.
• pf: Use counter(9) in pf tables.
• pf: Support "return" statements in passing rules when they fail.
• pf tests: Properly destroy renamed interfaces
• Backport OpenBSD syntax of "scrub" option for "match" and "pass" rules
• netpfil tests: Improve sniffer.py
• netpfil tests: Improve pft_ping.py
• netpfil tests: Improve pfsync_defer.py
• netpfil tests: Add functions for testing routing scenarios
• netpfil tests: Add tests for the new scrub syntax
• netstat: pfsync stats spelling
• pfctl: Fix superblock printf format mismatch
• Make contents of struct pfsync_state configurable
• Add missing pf reasons and actions to tcpdump
• pf :Reduce number of hashing operations when handling source nodes
• pf: Improve source node error handling
• pfsync: Remove deletion of states using the full pfsync_state struct
• pf: Standardize rtableid
• pfctl: Add missing state parameters in DIOCGETSTATESV2
• pf: Fix usage of pf tags with syncookies
• pf: Fix duplicate storage of direction
• pf: Simplify rule actions logic
• pf: Enable the syncookie feature for IPv6 and reduce indentation
• pf: Access r->rpool.cur->kif under mutex protection

Drafts, proposals, weird ideas, abandonned projects:

• Traffic dropped by accepting rules is not counted.
• Synproxy not working with route-to.
• pf: Switch pf_route() to PACKET_TAG_IPFORWARD tag
• Forwarding: Use the next hop installed by pfil_mbuf_in
• pf: Fix source tracking for route-to rules and for global tracking