This is an overview of some of the completed work on pf.

  • ioctl() improvements

    A number of pf ioctl() commands can currently cause panics through overflows. These are not exploitable any more, because the panic happens in mallocarray(), which explicitly checks for overflows.

    They all require root access to trigger, but now that jails can have their own pf instance this is more important.

    Along with these fixes ioctl validation tests have been added to the test suite.

    r332404, r332143, r332142, r332137, r332136, r332108, r332107, r332102, r332101

  • IPv6 fragmentation handling

    pf has been able to reassemble IPv6 packets and filter on the full packet for some time now. As of r331436 it will not confuse forwarding and output any more. This was the main remaining issue with this code.

  • Tests

    Inspired by the GSoC project of Panagiotes Mousikides there are now a few automated tests for pf. These rely on VIMAGE to create jails with their own IP stack and pf so they can inject packets and test how pf responds.

    Many more tests need to be written, but the framework is in place, and it’s now relatively easy to write more tests.

    Panagiotes Mousikides also implemented tests for the pfctl parser code.

  • pfsync performance improvements

    See sponsored work.