TODO.npf revision 1.13
1 # $NetBSD: TODO.npf,v 1.13 2025/04/17 19:04:15 gdt Exp $ 2 3 # Meta 4 5 This file intends to be the location for all work needing to be done 6 for npf within NetBSD, except for bugs that are straightforward enough to live 7 in gnats. 8 9 (The older TODO list, last modified in May, 2020: 10 https://www.netbsd.org/~rmind/npf/__tasklist.html 11 has been merged into this file.) 12 13 ## Review all items to see if they are still relevant and correct. 14 15 # Documentation 16 17 ## Conversion Guides 18 19 Add instructions for converting configuration for other packet filters 20 to npf configuration. 21 22 ## More Examples 23 24 # NetBSD integration 25 26 ## save/restore 27 28 /etc/rc.d/npf lacks the ability to save and load state (stateful rules 29 and NAT). 30 31 # npfctl 32 33 ## npfctl start does not load 34 35 npfctl start does not load the configuration if not loaded. 36 It is not clear you need to reload first. Or if it loads it should 37 print the error messages. Or it should be called enable/disable since 38 this is what it does. It does not "start" because like an engine with 39 no fuel, an npf with no configuration does not do much. 40 41 Alternatively: warn if there are no rules, or decide that npfctl 42 behaves as documented. 43 44 ## better error reporting 45 46 although the framework checks the file for consistency, returning 47 EINVAL for system failures is probably not good enough. For example if 48 a module failed to autoload, it is probably an error and it should be 49 reported differently? 50 51 ## handle array variables in more places 52 53 (Decide if this is just about npfctl or also about the kernel, and if 54 the latter move it.) 55 56 ## support variables and inline sets which contain both IPv4 and IPv6 addresses 57 58 for example: $ext_if = { inet4(wm0), inet6(wm0) } 59 60 (Decide if this is just about npfctl or also about the kernel, and if 61 the latter move it.) 62 63 ## support inline blocks with different types of data in the rule. 64 65 This will require a clean-up of the type system in 66 npfctl parser, since it is currently a bit of a mess. Examples: 67 68 pass in from all to { inet4(wm0), $some_var, 10.0.0.1, } 69 pass in final proto tcp to 172.28.1.2 port { 161, 162 } 70 pass in final proto { tcp, udp } to 172.28.1.2 port 53 71 72 [MOSTLY DONE?] 73 74 (Decide if this is just about npfctl or also about the kernel, and if 75 the latter move it.) 76 77 ## npf show improvements 78 79 Consistent `npfctl show' output with rule syntax. Difficult/messy 80 because rules are compiled into the byte-code. 81 82 Add examples of what is wrong. 83 84 ## -D option to set variables 85 86 Allow `npfctl -D varname=value` to set a variable, as if were defined 87 in the config file. See pfctl(8). 88 89 # Architectural changes 90 91 ## Layer 2 filtering 92 93 1. All rules in NPF are added to a ruleset. At this moment, it is assumed 94 that there is only one ruleset and all rules are processed at layer 3. 95 One approach is to support another ruleset for layer 2 (or rather, have 96 capability to specify the "starting layer"). 97 98 2. One way to separate L2 and L3 rules could be by marking groups. In NPF, 99 a group is just a rule (i.e. rules can be nested). 100 101 3. npfctl: update the parser such that the group would have an option for 102 specifying a layer. See "group_opts" token in npf_parse.y file. Also, 103 we may want to add support for "hwaddr <mac>" syntax or something. 104 105 4. npfctl_build_rule() code will need to distinguish groups/rules which 106 were marked as layer 2, i.e. byte-code generation (npfctl_build_code() 107 and the logic in it) needs to know that we are starting from Ethernet 108 header and not IP header. Note: it needs to be passed to all nested 109 rules, so basically take the option from the "current group". 110 111 5. For a start (i.e. less work to do), you can just add byte-code to parse 112 Ethernet header and compare the MAC addresses. Just return "not supported" 113 error for any other filter pattern. 114 115 6. libnpf: create a new ruleset for L2 and add all groups (and its nested 116 rules) there. To keep it simpler, we can add npf_rule_setlayer() function 117 and just handle this separation in libnpf rather than npfctl. 118 119 7. libnpf-kernel: currently, proplib dictionary has only one "ruleset" dict. 120 This needs to be split into "ruleset-l3" and "ruleset-l2". Retrieve and 121 construct a new ruleset in npfctl_reload(); it is simple, but disgusting 122 proplib code. It is just re-using the existing code to handle another 123 ruleset. 124 125 8. Kernel: add a new handler in npf_handler.c, e.g. npf_packet_l2handler() 126 or something. Register it in npf_pfil_register() using Ethernet pfil 127 hook. In the handler, call npf_ruleset_inspect() passing L2 ruleset. 128 129 ## Consider single large BPF program 130 131 Implement NPF rules as a single large BPF program, instead of 132 providing BPF byte-code per each rule. In combination with BPF JIT 133 compilation, such approach would significantly improve the performance 134 of very large rulesets. Problems: BPF byte-code limitations; we can 135 either extend the byte-code or workaround them. 136 137 ## Multiple rule matching 138 139 Multiple rule matching to call the rule-procedures or a suitable 140 design alternative to that. 141 142 (Explain what this means more clearly.) 143 144 ## ipchains-like feature 145 146 Implement ipchains-like feature to support nested rules and sharing of 147 a rule group. NPF already supports nested rules. Unresolved questions 148 are: 1) what kind of complexity of rule chains do we want to support, 149 e.g. a directed graph with loop resolution or more strict hierarchy 150 which does not allow jumping up the chain? 2) syntax in npf.conf file. 151 152 ## redundancy and load balancing 153 154 Redundancy and load balancing: initially, add state replication and 155 replace in-kernel CARP/VRRP with a userlevel daemon. 156 157 Check "Note: we probably want to eliminate proplib in NPF before doing 158 this." and drop if proplib has in fact been eliminated. 159 160 ## QoS 161 162 QoS: rate limiting, traffic shaping, prioritising. Question: how much 163 of this should be a part of the packet filter and how much of the 164 network stack (merely involving some integration with the packet 165 filters)? 166 167 ## address/port and port in tables 168 169 Tables currently contain addresses. Add support for address/port 170 tuples, and ports. 171 172 ## Separate mss clamping from normal rules 173 174 Currently, mss clamping is a rule procedure and has to be specified on 175 a matching rule. But, if there are both firewall rules and a desire 176 to clamp, then one has to add clamping to all rules. This item is 177 about having a way to express rules normally, and also say that 178 clamping shouldhappen. 179 180 http://mail-index.netbsd.org/tech-net/2017/01/15/msg006224.html 181 182 # Features (not needing architectural changes) 183 184 ## Add an extension for "route-to" 185 186 The essence is to change the next hop of a packet if it matches a 187 rule. 188 189 http://mail-index.netbsd.org/tech-net/2014/05/19/msg004526.html 190 191 ## support for ALTQ 192 193 ALTQ is a QoS scheme, and it expects a way to classify packets so that 194 different flows can be treated differently. Currently, ALTQ in NetBSD 195 uses pf. (An earlier comment indicated a solution might involve mbuf 196 tags.) 197 198 ## Support for NAT64 i.e. the protocol translation. 199 200 ## MiniUPnP 201 202 Add support for MiniUPnP (see http://miniupnp.free.fr/ web page). 203 204 ## add support for "with short" 205 206 (Clarify: is this about dropping packets that are shorter than they 207 should be? Why would the user choose?) 208 209 ## Add specific kinds of ICMP unreachable 210 211 Currently, rules are documented to allow returning `ICMP UNREACHABLE` 212 given the keyword `return-icmp`. Probably this is ICMP Admin 213 Prohibited, but this is not clear. 214 215 This item is about different or additional keywords to allow the user 216 to specify network, host, or port unreachable instead. 217 218 # Security 219 220 ## Extra measures to protect npf from SYN flood attacks. 221 222 E.g. accelerate connection expiration on low memory or after certain 223 threshold. The timeout can also be self-balancing. This item is about 224 protecting npf state in situations where excessive SYNs arrive in 225 situations where a legitimate SYN should trigger a state entry. 226 227 ## Consider blind reset attacks (see RFC 5961). 228 229 This is about the situation when npf is doing stateful processing on a 230 TCP connection and only allowing packets matching the connection. 231 Extend the definition of a packet matching the connection to meet the 232 new rules in RFC5961, and perhaps generate the specified response 233 packets. 234 235 # General 236 237 ## IPv4 options 238 239 Implement "block return-icmp in log final all with ipopts". 240 (Explain if this is more than "enable writing rules to match packets 241 with ip options".) 242 243 Consider defaulting to blocking options, with "allow-ip4opts" to 244 enable them. 245 246 ## IPv6 options 247 248 (Jointly with IPv4 options.) 249 250 Perhaps a limited set (IPPROTO_ROUTING, IPPROTO_HOPOPTS and 251 IPPROTO_DSTOPTS) by default, and "allow-ip6opts" to enable others. 252 253 ## add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL 254 255 document it so that it can be added in third-party software, like: 256 https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263 257 258 ### patch squid to support transparent-proxy with NPF. 259 260 (Likely, simply using the ioctl from the previous item.) 261 262 ## support IPv6 jumbograms 263 264 (Explain what is or is not supported now, and what needs to happen 265 differently.) 266 267 ## IPv6 reassembly 268 269 Investigate and fix the IPv6 reassembly (there is a memory leak). 270 271 ## nbuf_ensure_writable 272 273 Use nbuf_ensure_writable() where appropriate. 274 275 # Low priority items 276 277 These items are left in the list, but there's no reason to think 278 anyone will address them any time soon, or that they are high enough 279 priority that anyone should. They can of course be moved (up likely 280 clarified if someeone, especially someone intending to work on them, 281 doesn't see it that way. (Perhaps we should drop them, but for now 282 they are parked.) 283 284 ## NAT Application Level Gateways for FTP 285 286 Generally, FTP is done in passive mode, so that the data connection is 287 created by the client, and no particular support is needed in 288 firewalls. This item is about creating an alg that allows the 289 (regular, not passive mode) inbound connection from the server, based 290 on watching the control connection. 291 292 (It is likely that there are almost no remaining uses of active FTP, 293 and thus it is unlikely this would be implemented.) 294 295 ## Consider experimentation to use bloom filters against certain DoS attacks. 296 297 (This needs much more clarity.) 298 299 ## support large IPv6 options 300 301 as explained here: 302 http://mail-index.netbsd.org/tech-net/2018/04/08/msg006786.html 303 But it's not a big problem - perhaps we don't care at all. 304 305 ## TCP FSM enhancement 306 307 Minor TCP FSM investigation: should it be not allowed to immediately 308 re-open the connection after RST or FIN? 309 310 (Explain what this means, how it relates to standards, and what the 311 concerns are.) 312
Indexes created Mon Sep 29 21:09:56 GMT 2025