TODO.npf revision 1.12
1 # $NetBSD: TODO.npf,v 1.12 2025/04/17 18:39:35 gdt Exp $ 2 3 # Meta 4 5 This file intends to be the location for all work needing to be done 6 for npf within NetBSD, except for bugs that are straightforward enough to live 7 in gnats. 8 9 (The older TODO list, last modified in May, 2020: 10 https://www.netbsd.org/~rmind/npf/__tasklist.html 11 has been merged into this file.) 12 13 ## Review all items to see if they are still relevant and correct. 14 15 # Documentation 16 17 ## Conversion Guides 18 19 Add instructions for converting configuration for other packet filters 20 to npf configuration. 21 22 ## More Examples 23 24 # NetBSD integration 25 26 ## save/restore 27 28 /etc/rc.d/npf lacks the ability to save and load state (stateful rules 29 and NAT). 30 31 # npfctl 32 33 ## npfctl start does not load 34 35 npfctl start does not load the configuration if not loaded. 36 It is not clear you need to reload first. Or if it loads it should 37 print the error messages. Or it should be called enable/disable since 38 this is what it does. It does not "start" because like an engine with 39 no fuel, an npf with no configuration does not do much. 40 41 Alternatively: warn if there are no rules, or decide that npfctl 42 behaves as documented. 43 44 ## better error reporting 45 46 although the framework checks the file for consistency, returning 47 EINVAL for system failures is probably not good enough. For example if 48 a module failed to autoload, it is probably an error and it should be 49 reported differently? 50 51 ## handle array variables in more places 52 53 (Decide if this is just about npfctl or also about the kernel, and if 54 the latter move it.) 55 56 ## support variables and inline sets which contain both IPv4 and IPv6 addresses 57 58 for example: $ext_if = { inet4(wm0), inet6(wm0) } 59 60 (Decide if this is just about npfctl or also about the kernel, and if 61 the latter move it.) 62 63 ## support inline blocks with different types of data in the rule. 64 65 This will require a clean-up of the type system in 66 npfctl parser, since it is currently a bit of a mess. Examples: 67 68 pass in from all to { inet4(wm0), $some_var, 10.0.0.1, } 69 pass in final proto tcp to 172.28.1.2 port { 161, 162 } 70 pass in final proto { tcp, udp } to 172.28.1.2 port 53 71 72 [MOSTLY DONE?] 73 74 (Decide if this is just about npfctl or also about the kernel, and if 75 the latter move it.) 76 77 ## npf show improvements 78 79 Consistent `npfctl show' output with rule syntax. Difficult/messy 80 because rules are compiled into the byte-code. 81 82 Add examples of what is wrong. 83 84 ## -D option to set variables 85 86 Allow `npfctl -D varname=value` to set a variable, as if were defined 87 in the config file. See pfctl(8). 88 89 # Architectural changes 90 91 ## Layer 2 filtering 92 93 1. All rules in NPF are added to a ruleset. At this moment, it is assumed 94 that there is only one ruleset and all rules are processed at layer 3. 95 One approach is to support another ruleset for layer 2 (or rather, have 96 capability to specify the "starting layer"). 97 98 2. One way to separate L2 and L3 rules could be by marking groups. In NPF, 99 a group is just a rule (i.e. rules can be nested). 100 101 3. npfctl: update the parser such that the group would have an option for 102 specifying a layer. See "group_opts" token in npf_parse.y file. Also, 103 we may want to add support for "hwaddr <mac>" syntax or something. 104 105 4. npfctl_build_rule() code will need to distinguish groups/rules which 106 were marked as layer 2, i.e. byte-code generation (npfctl_build_code() 107 and the logic in it) needs to know that we are starting from Ethernet 108 header and not IP header. Note: it needs to be passed to all nested 109 rules, so basically take the option from the "current group". 110 111 5. For a start (i.e. less work to do), you can just add byte-code to parse 112 Ethernet header and compare the MAC addresses. Just return "not supported" 113 error for any other filter pattern. 114 115 6. libnpf: create a new ruleset for L2 and add all groups (and its nested 116 rules) there. To keep it simpler, we can add npf_rule_setlayer() function 117 and just handle this separation in libnpf rather than npfctl. 118 119 7. libnpf-kernel: currently, proplib dictionary has only one "ruleset" dict. 120 This needs to be split into "ruleset-l3" and "ruleset-l2". Retrieve and 121 construct a new ruleset in npfctl_reload(); it is simple, but disgusting 122 proplib code. It is just re-using the existing code to handle another 123 ruleset. 124 125 8. Kernel: add a new handler in npf_handler.c, e.g. npf_packet_l2handler() 126 or something. Register it in npf_pfil_register() using Ethernet pfil 127 hook. In the handler, call npf_ruleset_inspect() passing L2 ruleset. 128 129 ## Consider single large BPF program 130 131 Implement NPF rules as a single large BPF program, instead of 132 providing BPF byte-code per each rule. In combination with BPF JIT 133 compilation, such approach would significantly improve the performance 134 of very large rulesets. Problems: BPF byte-code limitations; we can 135 either extend the byte-code or workaround them. 136 137 ## Multiple rule matching 138 139 Multiple rule matching to call the rule-procedures or a suitable 140 design alternative to that. 141 142 (Explain what this means more clearly.) 143 144 ## ipchains-like feature 145 146 Implement ipchains-like feature to support nested rules and sharing of 147 a rule group. NPF already supports nested rules. Unresolved questions 148 are: 1) what kind of complexity of rule chains do we want to support, 149 e.g. a directed graph with loop resolution or more strict hierarchy 150 which does not allow jumping up the chain? 2) syntax in npf.conf file. 151 152 ## redundancy and load balancing 153 154 Redundancy and load balancing: initially, add state replication and 155 replace in-kernel CARP/VRRP with a userlevel daemon. 156 157 Check "Note: we probably want to eliminate proplib in NPF before doing 158 this." and drop if proplib has in fact been eliminated. 159 160 ## QoS 161 162 QoS: rate limiting, traffic shaping, prioritising. Question: how much 163 of this should be a part of the packet filter and how much of the 164 network stack (merely involving some integration with the packet 165 filters)? 166 167 ## address/port and port in tables 168 169 Tables currently contain addresses. Add support for address/port 170 tuples, and ports. 171 172 # Features (not needing architectural changes) 173 174 ## Add an extension to support source routing / re-routing of packets. 175 176 See: http://mail-index.netbsd.org/tech-net/2014/05/19/msg004526.html 177 178 ## support for ALTQ 179 180 Integration with ALTQ as an intermediate solution. In the long term, 181 we should implement a better QoS mechanism as part of NPF. Meanwhile, 182 NPF can integrate with ALTQ quite easily using the mbuf tags. 183 184 (Explain this more clearly. It seems to be "use npf as a classifier 185 for ALTQ".) 186 187 ## Support for NAT64 i.e. the protocol translation. 188 189 ## Implement ftp-proxy forward proxy support 190 191 (for active FTP client behind NAT). 192 193 ## MiniUPnP 194 195 Add support for MiniUPnP (see http://miniupnp.free.fr/ web page). 196 197 ## add support for "with short" 198 199 ## implement "port-unr" 200 201 (Explain; this seems to be a rule keyword to return specific 202 unreachable types, but it's not clear if something more was intended.) 203 204 # Security 205 206 ## Extra measures to protect npf from SYN flood attacks. 207 208 E.g. accelerate connection expiration on low memory or after certain 209 threshold. The timeout can also be self-balancing. This item is about 210 protecting npf state in situations where excessive SYNs arrive in 211 situations where a legitimate SYN should trigger a state entry. 212 213 ## Consider blind reset attacks (see RFC 5961). 214 215 This is about the situation when npf is doing stateful processing on a 216 TCP connection and only allowing packets matching the connection. 217 Extend the definition of a packet matching the connection to meet the 218 new rules in RFC5961, and perhaps generate the specified response 219 packets. 220 221 ## Consider experimentation to use bloom filters against certain DoS attacks. 222 223 (This needs much more clarity.) 224 225 # General 226 227 ## IPv4 options 228 229 Implement "block return-icmp in log final all with ipopts". 230 (Explain if this is more than "enable writing rules to match packets 231 with ip options".) 232 233 Consider defaulting to blocking options, with "allow-ip4opts" to 234 enable them. 235 236 ## IPv6 options 237 238 (Jointly with IPv4 options.) 239 240 Perhaps a limited set (IPPROTO_ROUTING, IPPROTO_HOPOPTS and 241 IPPROTO_DSTOPTS) by default, and "allow-ip6opts" to enable others. 242 243 ## add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL 244 245 document it so that it can be added in third-party software, like: 246 https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263 247 248 ## patch squid to support transparent-proxy with NPF. 249 250 (Likely, simply using the ioctl from the previous item.) 251 252 ## support IPv6 jumbograms 253 254 (Explain what is or is not supported now, and what needs to happen 255 differently.) 256 257 ## support large IPv6 options 258 259 as explained here: 260 http://mail-index.netbsd.org/tech-net/2018/04/08/msg006786.html 261 But it's not a big problem - perhaps we don't care at all. 262 263 ## improve mss clamping 264 265 as explained here: 266 http://mail-index.netbsd.org/tech-net/2017/01/15/msg006224.html 267 268 ## IPv6 reassembly 269 270 Investigate and fix the IPv6 reassembly (there is a memory leak). 271 272 ## nbuf_ensure_writable 273 274 Use nbuf_ensure_writable() where appropriate. 275 276 ## TCP FSM enhancement 277 278 Minor TCP FSM investigation: should it be not allowed to immediately 279 re-open the connection after RST or FIN? 280 281 (Explain what this means, how it relates to standards, and what the 282 concerns are.) 283
Indexes created Tue Sep 30 11:09:46 GMT 2025