[src/trunk]: src Move NPF's todo list into src/doc/TODO.npf, and add some ent...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/afd4e45b6c86
branches:  trunk
changeset: 360972:afd4e45b6c86
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun Apr 08 08:57:37 2018 +0000

description:
Move NPF's todo list into src/doc/TODO.npf, and add some entries. After a
conversation (two months ago) with rmind and sborrill.

diffstat:

 doc/TODO.npf             |  47 +++++++++++++++++++++++++++++++++++++++++++++++
 usr.sbin/npf/npfctl/todo |  16 ----------------
 2 files changed, 47 insertions(+), 16 deletions(-)

diffs (71 lines):

diff -r 206a03803a6f -r afd4e45b6c86 doc/TODO.npf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/TODO.npf      Sun Apr 08 08:57:37 2018 +0000
@@ -0,0 +1,47 @@
+Another TODO list is available here:
+
+       https://www.netbsd.org/~rmind/npf/__tasklist.html
+
+====== DOCUMENTATION ======
+
+-- how to convert other packet filters to npf
+
+-- add more examples
+
+====== NPFCTL ======
+
+-- npfctl start does not load the configuration if not loaded.
+   It is not clear you need to reload first. Or if it loads it should
+   print the error messages. Or it should be called enable/disable since
+   this is what it does. It does not "start" because like an engine with
+   no fuel, an npf with no configuration does not do much.
+
+-- npf starts up too late (after traffic can go through)
+
+-- although the framework checks the file for consistency, returning EINVAL
+   for system failures is probably not good enough. For example if a module
+   failed to autoload, it is probably an error and it should be reported
+   differently?
+
+-- startup/stop script does not load and save session state
+
+-- add algo for "with short"
+
+-- implement "port-unr"
+
+-- implement block return-icmp in log final all with ipopts
+
+-- handle array variables in more places
+
+====== GENERAL ======
+
+-- disable IPv4 options by default, and add a "allow-ip4opts" feature to
+   enable them
+
+-- disable IPv6 options (IPPROTO_ROUTING, IPPROTO_HOPOPTS and IPPROTO_DSTOPTS)
+   by default, and add a "allow-ip6opts" feature to enable them
+
+-- add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL, and document
+   it so that it can be added in third-party software, like:
+       https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263
+
diff -r 206a03803a6f -r afd4e45b6c86 usr.sbin/npf/npfctl/todo
--- a/usr.sbin/npf/npfctl/todo  Sun Apr 08 06:01:04 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
--- how to convert other packet filters to npf
--- npfctl start does not load the configuration if not loaded.
-   It is not clear you need to reload first. Or if it loads it should
-   print the error messages. Or it should be called enable/disable since
-   this is what it does. It does not "start" because like an engine with
-   no fuel, an npf with no configuration does not do much.
--- npf starts up too late (after traffic can go through)
--- although the framework checks the file for consistency, returning EINVAL
-   for system failures is probably not good enough. For example if a module
-   failed to autoload, it is probably an error and it should be reported
-   differently?
--- startup/stop script does not load and save session state
--- add algo for "with short"
--- implement "port-unr"
--- implement block return-icmp in log final all with ipopts
--- handle array variables in more places