Home | History | Annotate | Line # | Download | only in doc
TODO.npf revision 1.9 
      1 # $NetBSD: TODO.npf,v 1.9 2025/04/13 23:03:03 gdt Exp $
      2 
      3 ====== META ======
      4 
      5 -- Merge still-to-be-done-items from another TODO list which was last
      6    modified in May, 2020:
      7 	https://www.netbsd.org/~rmind/npf/__tasklist.html
      8 
      9 -- Review all items to see if they are still relevant and correct.
     10 
     11 ====== DOCUMENTATION ======
     12 
     13 -- how to convert other packet filters to npf
     14 
     15 -- add more examples
     16 
     17 ====== NPFCTL ======
     18 
     19 -- npfctl start does not load the configuration if not loaded.
     20    It is not clear you need to reload first. Or if it loads it should
     21    print the error messages. Or it should be called enable/disable since
     22    this is what it does. It does not "start" because like an engine with
     23    no fuel, an npf with no configuration does not do much.
     24 
     25 -- although the framework checks the file for consistency, returning EINVAL
     26    for system failures is probably not good enough. For example if a module
     27    failed to autoload, it is probably an error and it should be reported
     28    differently?
     29 
     30 -- startup/stop script does not load and save session state
     31 
     32 -- add algo for "with short"
     33 
     34 -- implement "port-unr"
     35 
     36 -- implement block return-icmp in log final all with ipopts
     37 
     38 -- handle array variables in more places
     39 
     40 ====== GENERAL ======
     41 
     42 -- disable IPv4 options by default, and add a "allow-ip4opts" feature to
     43    enable them
     44 
     45 -- disable IPv6 options (IPPROTO_ROUTING, IPPROTO_HOPOPTS and IPPROTO_DSTOPTS)
     46    by default, and add a "allow-ip6opts" feature to enable them
     47 
     48 -- add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL, and document
     49    it so that it can be added in third-party software, like:
     50        https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263
     51 
     52 -- support IPv6 jumbograms
     53 
     54 -- support large IPv6 options, as explained here:
     55        http://mail-index.netbsd.org/tech-net/2018/04/08/msg006786.html
     56    But it's not a big problem - perhaps we don't care at all.
     57 
     58 -- add command line variables.  See -D option in pf.
     59 
     60 -- improve mss clamping, as explained here:
     61        http://mail-index.netbsd.org/tech-net/2017/01/15/msg006224.html
     62