TODO.npf revision 1.10
1 1.10 gdt # $NetBSD: TODO.npf,v 1.10 2025/04/17 16:26:36 gdt Exp $ 2 1.1 maxv 3 1.10 gdt # Meta 4 1.9 gdt 5 1.10 gdt ## merge rmind@'s TODO 6 1.1 maxv 7 1.10 gdt Merge still-to-be-done-items from another TODO list which was last 8 1.10 gdt modified in May, 2020: 9 1.10 gdt https://www.netbsd.org/~rmind/npf/__tasklist.html 10 1.9 gdt 11 1.10 gdt ## Review all items to see if they are still relevant and correct. 12 1.1 maxv 13 1.10 gdt # Documentation 14 1.1 maxv 15 1.10 gdt ## how to convert other packet filters to npf 16 1.1 maxv 17 1.10 gdt ## add more examples 18 1.1 maxv 19 1.10 gdt # npfctl 20 1.1 maxv 21 1.10 gdt ## npfctl start does not load 22 1.1 maxv 23 1.10 gdt npfctl start does not load the configuration if not loaded. 24 1.10 gdt It is not clear you need to reload first. Or if it loads it should 25 1.10 gdt print the error messages. Or it should be called enable/disable since 26 1.10 gdt this is what it does. It does not "start" because like an engine with 27 1.10 gdt no fuel, an npf with no configuration does not do much. 28 1.1 maxv 29 1.10 gdt ## better error reporting 30 1.1 maxv 31 1.10 gdt although the framework checks the file for consistency, returning 32 1.10 gdt EINVAL for system failures is probably not good enough. For example if 33 1.10 gdt a module failed to autoload, it is probably an error and it should be 34 1.10 gdt reported differently? 35 1.1 maxv 36 1.10 gdt ## startup/stop script does not load and save session state 37 1.1 maxv 38 1.10 gdt ## add algo for "with short" 39 1.1 maxv 40 1.10 gdt ## implement "port-unr" 41 1.1 maxv 42 1.10 gdt ## implement block return-icmp in log final all with ipopts 43 1.1 maxv 44 1.10 gdt ## handle array variables in more places 45 1.1 maxv 46 1.10 gdt # General 47 1.1 maxv 48 1.10 gdt ## disable IPv4 options by default 49 1.2 maxv 50 1.10 gdt and add a "allow-ip4opts" feature to enable them 51 1.10 gdt 52 1.10 gdt ## disable IPv6 options 53 1.10 gdt 54 1.10 gdt (IPPROTO_ROUTING, IPPROTO_HOPOPTS and IPPROTO_DSTOPTS) by default, and 55 1.10 gdt add a "allow-ip6opts" feature to enable them 56 1.10 gdt 57 1.10 gdt ## add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL 58 1.10 gdt 59 1.10 gdt document it so that it can be added in third-party software, like: 60 1.10 gdt https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263 61 1.10 gdt 62 1.10 gdt ## support IPv6 jumbograms 63 1.10 gdt 64 1.10 gdt ## support large IPv6 options 65 1.10 gdt 66 1.10 gdt as explained here: 67 1.2 maxv http://mail-index.netbsd.org/tech-net/2018/04/08/msg006786.html 68 1.10 gdt But it's not a big problem - perhaps we don't care at all. 69 1.10 gdt 70 1.10 gdt ## add command line variables. See -D option in pf. 71 1.4 darcy 72 1.10 gdt ## improve mss clamping 73 1.5 sborrill 74 1.10 gdt as explained here: 75 1.5 sborrill http://mail-index.netbsd.org/tech-net/2017/01/15/msg006224.html 76
Indexes created Mon Sep 29 21:09:56 GMT 2025