Various small things (in 3.3, cont.)

pf.conf syntax/parser improvements, most parameters optional, arbitrary order
set block-policy drop|return
antispoof, parser generates blocking rules appropriate for the specified interfaces
pfsync, similar to pflog but logs state creations/deletions
support for fragments with DF, used by Linux/Solaris NFS, doing PMTU discovery on fragments
support for "Raptor" SYN flood protection scheme
all features fully work for IPv6, too