todo - net/ipfilter - Rivoreo Source Code Repositories

 BUGS:
 -----
 * fix "to <ifname>" bug on FreeBSD 2.2.8
 fastroute works

 ===============================================================================
 GENERAL:
 --------

 * support redirection like "rdr tun0 0/32 port 80 ..."

 * use fr_tcpstate() with NAT code for increased NAT usage security or even
   fr_checkstate() - suspect this is not possible.

 * add another alias for <thishost> for interfaces <thisif>? as well as
   all IP#'s associated with the box <myaddrs>?

 time permitting:

 * load balancing across interfaces

 * record buffering for TCP/UDP

 * document bimap

 * document NAT rule order processing

 * add more docs
 in progress

 3.4:
 XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
 traffic priorization) should be *TOP* in the TO DO list.

 * Bandwidth limiting!!!
 maybe for solaris, otherwise "ALTQ"
 * More examples
 * More documentation
 * Load balancing features added to the NAT code, so that I can have
 something coming in for 20.20.20.20:80 and it gets shuffled around between
 internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
 - done, stage 1 (round robin/split)
 The one thing that Cisco's PIX has on IPF that I can see is that
 rewrites the sequence numbers with semi-random ones.
 - done

 I would also love to see a more extensive NAT.  It can choose to do
 rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
 module already have functionality for that and it just needs support in
 the userland ipnat?)
 -sort of done

         * intrusion detection
                 detection of port scans
                 detection of multiple connection attempts

         * support for multiple log files
                 i.e. all connections to ftp and telnet logged to
                         a seperate log file

         * multiple levels of log severity with E-mail notification
                 of intrusion alerts or other high priority errors

         * poison pill facility
                 after detection of a port scan, start sending back
                 large packets of garbage or other packets to
                 otherwise confuse the intruder (ping of death?)

 IPv6:
 -----
 * NAT is yet not available, either as a null proxy or address translation

 BSD:
 * "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.

 Solaris:
 * "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.

 Tru64:
 ------
 * IPv6 checksum calculation for RST's and ICMP packets is not done (there
   are routines in the Tru64 kernel to do this but what is the interface?)

 does bimap allow equal sized subnets?

 make return-icmp 'intelligent' if no type is given about what type to use?

 reply-to - enforce packets to pass through interfaces in particular
 combinations - opposite to "to", set reverse path interface
	BUGS:
	-----
	* fix "to <ifname>" bug on FreeBSD 2.2.8
	fastroute works

	===============================================================================
	GENERAL:
	--------

	* support redirection like "rdr tun0 0/32 port 80 ..."

	* use fr_tcpstate() with NAT code for increased NAT usage security or even
	fr_checkstate() - suspect this is not possible.

	* add another alias for <thishost> for interfaces <thisif>? as well as
	all IP#'s associated with the box <myaddrs>?

	time permitting:

	* load balancing across interfaces

	* record buffering for TCP/UDP

	* document bimap

	* document NAT rule order processing

	* add more docs
	in progress

	3.4:
	XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
	traffic priorization) should be TOP in the TO DO list.

	* Bandwidth limiting!!!
	maybe for solaris, otherwise "ALTQ"
	* More examples
	* More documentation
	* Load balancing features added to the NAT code, so that I can have
	something coming in for 20.20.20.20:80 and it gets shuffled around between
	internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
	- done, stage 1 (round robin/split)
	The one thing that Cisco's PIX has on IPF that I can see is that
	rewrites the sequence numbers with semi-random ones.
	- done

	I would also love to see a more extensive NAT. It can choose to do
	rdr and map based on saddr, daddr, sport and dport. (Does the kernel
	module already have functionality for that and it just needs support in
	the userland ipnat?)
	-sort of done

	* intrusion detection
	detection of port scans
	detection of multiple connection attempts

	* support for multiple log files
	i.e. all connections to ftp and telnet logged to
	a seperate log file

	* multiple levels of log severity with E-mail notification
	of intrusion alerts or other high priority errors

	* poison pill facility
	after detection of a port scan, start sending back
	large packets of garbage or other packets to
	otherwise confuse the intruder (ping of death?)

	IPv6:
	-----
	* NAT is yet not available, either as a null proxy or address translation

	BSD:
	* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.

	Solaris:
	* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.

	Tru64:
	------
	* IPv6 checksum calculation for RST's and ICMP packets is not done (there
	are routines in the Tru64 kernel to do this but what is the interface?)

	does bimap allow equal sized subnets?

	make return-icmp 'intelligent' if no type is given about what type to use?

	reply-to - enforce packets to pass through interfaces in particular
	combinations - opposite to "to", set reverse path interface