Missing features?

VRRP alike redundancy & fail-over (evade patents)
run multiple pf hosts (master, slave)
share state table entries
re-elect master on failure
Payload inspection and manipulation
e.g. honeypots
single packets vs. TCP streams (userland!)
interface to pass packets to userland and back
performance