CVS commit: src

Sun, 08 Apr 2018 01:58:30 -0700 

Module Name:    src
Committed By:   maxv
Date:           Sun Apr  8 08:57:37 UTC 2018

Added Files:
        src/doc: TODO.npf
Removed Files:
        src/usr.sbin/npf/npfctl: todo

Log Message:
Move NPF's todo list into src/doc/TODO.npf, and add some entries. After a
conversation (two months ago) with rmind and sborrill.


To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/doc/TODO.npf
cvs rdiff -u -r1.15 -r0 src/usr.sbin/npf/npfctl/todo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Added files:

Index: src/doc/TODO.npf
diff -u /dev/null src/doc/TODO.npf:1.1
--- /dev/null	Sun Apr  8 08:57:37 2018
+++ src/doc/TODO.npf	Sun Apr  8 08:57:37 2018
@@ -0,0 +1,47 @@
+Another TODO list is available here:
+
+	https://www.netbsd.org/~rmind/npf/__tasklist.html
+
+====== DOCUMENTATION ======
+
+-- how to convert other packet filters to npf
+
+-- add more examples
+
+====== NPFCTL ======
+
+-- npfctl start does not load the configuration if not loaded.
+   It is not clear you need to reload first. Or if it loads it should
+   print the error messages. Or it should be called enable/disable since
+   this is what it does. It does not "start" because like an engine with
+   no fuel, an npf with no configuration does not do much.
+
+-- npf starts up too late (after traffic can go through)
+
+-- although the framework checks the file for consistency, returning EINVAL
+   for system failures is probably not good enough. For example if a module
+   failed to autoload, it is probably an error and it should be reported
+   differently?
+
+-- startup/stop script does not load and save session state
+
+-- add algo for "with short"
+
+-- implement "port-unr"
+
+-- implement block return-icmp in log final all with ipopts
+
+-- handle array variables in more places
+
+====== GENERAL ======
+
+-- disable IPv4 options by default, and add a "allow-ip4opts" feature to
+   enable them
+
+-- disable IPv6 options (IPPROTO_ROUTING, IPPROTO_HOPOPTS and IPPROTO_DSTOPTS)
+   by default, and add a "allow-ip6opts" feature to enable them
+
+-- add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL, and document
+   it so that it can be added in third-party software, like:
+       https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263
+

Reply via email to