This is an aspirational page. It lists the things I’d like to/hope to work on. No promises.

It’s roughly sorted by my personal priorities.

  • Bugfixes

    There are a lot of open bug reports for pf. In general I try to prioritise bugfixes over new features.

  • More tests

    Now that the first few pf tests have been implemented it’s a lot easier to extend this. I hope to be able to add test cases for as many newly fixed bugs as possible and all new features.

    If you’ve got a pet bug that you want to see fixed one of the best ways of helping with that (short of actually fixing it yourself) is to write a test case for it.

    Here are couple of things I still want to add (but I won’t be upset if someone else does it for me):

    • Verify that fragmented NDP packets are dropped
    • Verify that overlapping fragments are dropped
    • Check that traffic class is preserved across reassembly and refragmentation

  • match keyword

    OpenBSD introduced a new ‘match’ keyword a number of years ago, which is one of the main points of difference between FreeBSD pf and OpenBSD pf.

    This is a non-trivial import, because OpenBSD removed the ‘scrub’ keyword when they introduced ‘match’. If we’re going to import it we’ll need to work out how to retain ‘scrub’, so we don’t break existing firewall configurations.

    I have a very early import of the initial patch, but this is untested, and does not fix the ‘scrub’ problem.

  • set_tos

    It’s possible to set the ToS bits for IPv4 packets, but this still needs to be extended to support IPv6. I’ve been keeping this as an introductory feature for people interested in getting involved in pf work, but as some point I’m just going to do it myself.

  • pf_walk_header6()

    pf has issues matching the correct protocol in IPv6. At a minimum in scrub rules, because those currently can’t actually match on protocol, because that requires walking the header chain.

    OpenBSD has pf_walk_header6() for this. We should look at importing it. (OpenBSD d68283bbf091216852406752738c14e17e487487)

  • max-pkt-rate

    OpenBSD introduced a packet rate matching filter. See if we can import that work.

  • ifgroup names

    PR 218895

    The problem is that while pf assumes that interface group names and interface names share a namespace (i.e. it’s impossible for an interface group and an interface to have the same name), this isn’t actually true.

    If this assumption is violated pf will cause a panic.

    The best fix for this isn’t in pf, but in the network stack itself.

  • Implement RFC7112 checks in pf

    RFC7112 specifies that the full IPv6 header chain should be present in the first fragment. pf should enforce this.

    It also would allow us to do meaningful filtering on fragmented packets without performing a full reassembly. That’d have interesting performance benefits, but I’m ambivalent about introducing a new fragment handling mode for IPv6 after I killed the alternative mode for IPv4 (crop/drop-ovl).

  • dummynet

    Apple have extended their pf version to use dummynet for traffic shaping. It would be useful to see if this can be imported into FreeBSD. pf in FreeBSD currently uses ALTQ, which is not enabled by default, for traffic shaping, while ipfw uses dummynet. It’s a bit silly to have two codebases for this.

  • dynamic hash table scaling

    Users can configure the maximum number of states at runtime, but the size of the hash table (used to look up states) is not. This can lead to either wasted memory (when it’s too small) or slower lookups (because each hash row contains many states we have to iterate through).

    It should be possible to gradually move states over to a new hash table, allowing it to be resized at runtime. This should remove the need for manual tuning.

    Appropriate sizing of the hash table can improve performance by ~10%, according to benchmarks.

  • Performance work

    ipfw recently became a lot faster. See the benchmark work Olivier Cochard-Labbé did. It would be useful to investigate if there’s room for improvement in pf too.