Home | History | Annotate | Line # | Download | only in blocklist 
      1 # $NetBSD: TODO,v 1.3 2025/02/05 20:22:26 christos Exp $
      2 
      3 - don't poll periodically, find the next timeout
      4 - use the socket also for commands? Or separate socket?
      5 - add functionality to the control program. Should it change the database
      6   directly, or talk to the daemon to have it do it?
      7 - perhaps handle interfaces too instead of addresses for dynamic ip?
      8   <bge0/4>? What to do with multiple addresses?
      9 - perhaps rate limit against DoS
     10 - perhaps instead of scanning the list have a sparse map by port?
     11 - do we want to use libnpf directly for efficiency?
     12 - add more daemons ftpd?
     13 - do we care about the db state becoming too large? 
     14 - instead of a yes = bump one, no = return to 0 interface, do we want
     15   to have something more flexible like?
     16 	+n
     17 	-n
     18 	block
     19 	unblock
     20 - do we need an api in blocklistctl to perform maintenance
     21 - fix the blocklistctl output to be more user friendly
     22 
     23 - figure out some way to do distributed operation securely (perhaps with
     24   a helper daemon that authenticates local sockets and then communicates
     25   local DB changes to the central server over a secure channel --
     26   perhaps blocklistd-helper can have a back-end that can send updates to
     27   a central server)
     28 
     29 - add "blocklistd -l" to enable filter logging on all rules by default
     30 
     31 - add some new options in the config file
     32 
     33 	"/all"	- block both TCP and UDP (on the proto field?)
     34 
     35 	"/log"	- enable filter logging (if not the default) (on the name field?)
     36 	"/nolog"- disable filter logging (if not the default) (on the name field?)
     37 
     38   The latter two probably require a new parameter for blocklistd-helper.
     39 
     40 - "blocklistd -f" should (also?) be a blocklistctl function!?!?!
     41 
     42 - if blocklistd was started with '-r' then a SIGHUP should also do a
     43   "control flush $rulename" and then re-add all the filter rules?
     44 
     45 - should/could /etc/rc.conf.d/ipfilter be created with the following?
     46 
     47 	reload_postcmd=blocklistd_reload
     48 	start_postcmd=blocklistd_start
     49 	stop_precmd=blocklistd_stop
     50 	blocklistd_reload ()
     51 	{
     52 		/etc/rc.d/blocklistd reload	# IFF SIGHUP does flush/re-add
     53 		# /etc/rc.d/blocklistd restart
     54 	}
     55 	blocklistd_stop ()
     56 	{
     57 		/etc/rc.d/blocklistd stop
     58 	}
     59 	blocklistd_start ()
     60 	{
     61 		/etc/rc.d/blocklistd start
     62 	}
     63 
     64   or is there a better way?
     65