164f4aca6SmaxvAnother TODO list is available here: 264f4aca6Smaxv 364f4aca6Smaxv https://www.netbsd.org/~rmind/npf/__tasklist.html 464f4aca6Smaxv 564f4aca6Smaxv====== DOCUMENTATION ====== 664f4aca6Smaxv 764f4aca6Smaxv-- how to convert other packet filters to npf 864f4aca6Smaxv 964f4aca6Smaxv-- add more examples 1064f4aca6Smaxv 11*b6164344Ssevan-- modify the doc of IPF to indicate it is deprecated, and that 12b9bdc013Smaxv NPF should be used instead 13b9bdc013Smaxv 1464f4aca6Smaxv====== NPFCTL ====== 1564f4aca6Smaxv 1664f4aca6Smaxv-- npfctl start does not load the configuration if not loaded. 1764f4aca6Smaxv It is not clear you need to reload first. Or if it loads it should 1864f4aca6Smaxv print the error messages. Or it should be called enable/disable since 1964f4aca6Smaxv this is what it does. It does not "start" because like an engine with 2064f4aca6Smaxv no fuel, an npf with no configuration does not do much. 2164f4aca6Smaxv 2264f4aca6Smaxv-- although the framework checks the file for consistency, returning EINVAL 2364f4aca6Smaxv for system failures is probably not good enough. For example if a module 2464f4aca6Smaxv failed to autoload, it is probably an error and it should be reported 2564f4aca6Smaxv differently? 2664f4aca6Smaxv 2764f4aca6Smaxv-- startup/stop script does not load and save session state 2864f4aca6Smaxv 2964f4aca6Smaxv-- add algo for "with short" 3064f4aca6Smaxv 3164f4aca6Smaxv-- implement "port-unr" 3264f4aca6Smaxv 3364f4aca6Smaxv-- implement block return-icmp in log final all with ipopts 3464f4aca6Smaxv 3564f4aca6Smaxv-- handle array variables in more places 3664f4aca6Smaxv 3764f4aca6Smaxv====== GENERAL ====== 3864f4aca6Smaxv 3964f4aca6Smaxv-- disable IPv4 options by default, and add a "allow-ip4opts" feature to 4064f4aca6Smaxv enable them 4164f4aca6Smaxv 4264f4aca6Smaxv-- disable IPv6 options (IPPROTO_ROUTING, IPPROTO_HOPOPTS and IPPROTO_DSTOPTS) 4364f4aca6Smaxv by default, and add a "allow-ip6opts" feature to enable them 4464f4aca6Smaxv 4564f4aca6Smaxv-- add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL, and document 4664f4aca6Smaxv it so that it can be added in third-party software, like: 4764f4aca6Smaxv https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263 4864f4aca6Smaxv 499676918aSmaxv-- support IPv6 jumbograms 509676918aSmaxv 519676918aSmaxv-- support large IPv6 options, as explained here: 529676918aSmaxv http://mail-index.netbsd.org/tech-net/2018/04/08/msg006786.html 539676918aSmaxv But it's not a big problem - perhaps we don't care at all. 54485ccd67Sdarcy 55485ccd67Sdarcy-- add command line variables. See -D option in pf. 56fb8e9fffSsborrill 57fb8e9fffSsborrill-- improve mss clamping, as explained here: 58fb8e9fffSsborrill http://mail-index.netbsd.org/tech-net/2017/01/15/msg006224.html 59