xref: /netbsd-src/external/bsd/blocklist/TODO (revision 0449daef3fa38d52606897f43111e5506c4a0caa) 
1# $NetBSD: TODO,v 1.2 2021/03/07 00:46:39 christos Exp $
2
3- don't poll periodically, find the next timeout
4- use the socket also for commands? Or separate socket?
5- add functionality to the control program. Should it change the database
6  directly, or talk to the daemon to have it do it?
7- perhaps handle interfaces too instead of addresses for dynamic ip?
8  <bge0/4>? What to do with multiple addresses?
9- perhaps rate limit against DoS
10- perhaps instead of scanning the list have a sparse map by port?
11- do we want to use libnpf directly for efficiency?
12- add more daemons ftpd?
13- do we care about the db state becoming too large?
14- instead of a yes = bump one, no = return to 0 interface, do we want
15  to have something more flexible like?
16	+n
17	-n
18	block
19	unblock
20- do we need an api in blocklistctl to perform maintenance
21- fix the blocklistctl output to be more user friendly
22
23- figure out some way to do distributed operation securely (perhaps with
24  a helper daemon that authenticates local sockets and then communicates
25  local DB changes to the central server over a secure channel --
26  perhaps blocklistd-helper can have a back-end that can send updates to
27  a central server)
28
29- add "blocklistd -l" to enable filter logging on all rules by default
30
31- add some new options in the config file
32
33	"/all"	- block both TCP and UDP (on the proto field?)
34
35	"/log"	- enable filter logging (if not the default) (on the name field?)
36	"/nolog"- disable filter logging (if not the default) (on the name field?)
37
38  The latter two probably require a new parameter for blocklistd-helper.
39
40- "blocklistd -f" should (also?) be a blocklistctl function!?!?!
41
42- if blocklistd was started with '-r' then a SIGHUP should also do a
43  "control flush $rulename" and then re-add all the filter rules?
44
45- should/could /etc/rc.conf.d/ipfilter be created with the following?
46
47	reload_postcmd=blocklistd_reload
48	start_postcmd=blocklistd_start
49	stop_precmd=blocklistd_stop
50	blocklistd_reload ()
51	{
52		/etc/rc.d/blocklistd reload	# IFF SIGHUP does flush/re-add
53		# /etc/rc.d/blocklistd restart
54	}
55	blocklistd_stop ()
56	{
57		/etc/rc.d/blocklistd stop
58	}
59	blocklistd_start ()
60	{
61		/etc/rc.d/blocklistd start
62	}
63
64  or is there a better way?
65
66- figure out some way to do distributed operation securely (perhaps with
67  a helper daemon that authenticates local sockets and then communicates
68  local DB changes to the central server over a secure channel --
69  perhaps blocklistd-helper can have a back-end that can send updates to
70  a central server)
71
72- add "blocklistd -l" to enable filter logging on all rules by default
73
74- add some new options in the config file
75
76	"/all"	- block both TCP and UDP (on the proto field?)
77
78	"/log"	- enable filter logging (if not the default) (on the name field?)
79	"/nolog"- disable filter logging (if not the default) (on the name field?)
80
81  The latter two probably require a new parameter for blocklistd-helper.
82
83- "blocklistd -f" should (also?) be a blocklistctl function!?!?!
84
85- if blocklistd was started with '-r' then a SIGHUP should also do a
86  "control flush $rulename" and then re-add all the filter rules?
87
88- should/could /etc/rc.conf.d/ipfilter be created with the following?
89
90	reload_postcmd=blocklistd_reload
91	start_postcmd=blocklistd_start
92	stop_precmd=blocklistd_stop
93	blocklistd_reload ()
94	{
95		/etc/rc.d/blocklistd reload	# IFF SIGHUP does flush/re-add
96		# /etc/rc.d/blocklistd restart
97	}
98	blocklistd_stop ()
99	{
100		/etc/rc.d/blocklistd stop
101	}
102	blocklistd_start ()
103	{
104		/etc/rc.d/blocklistd start
105	}
106
107  or is there a better way?
108