-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
TODO
101 lines (61 loc) · 2.78 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
TODO for filtergen
==================
milestones for version 0.13
--------------------------
* Resolve fg-iptrestore.c and output/iptables-restore.
- Two contributors created the same thing; fix the subtle differences.
* Fixup and maintain the cisco and ipfilter backends
- Cisco needs testing, negation fixes and options for reflexive
ACLs
- ipfilter needs testing and masq, transproxy and grouping support
* New input/output engines:
- FreeBSD ipfw target
- iproute2 "ip rule" target
- iptables-save input and target format
- ipchains-save input and target format
- Does Netscreen have a command line interface like IOS?
- There are a number of output types listed at this conversion tool:
http://www.bluetack.co.uk/convert.html
milestones for version 0.14
--------------------------
* Factoriser for intermediate representation.
prior to conversion to target format. Should be simple to create and
quite effective. boolean factorisation never involves polynomials.
watch out for rules with side effects though. order must be preserved.
* Implement a negation unroller for filters which can't negate
a match. (For example, Ciscos can't say "match all but this
host".) This gives us negation of {}-groups, too.
* Order orthogonal rules by branch count.
* Order orthogonal rules by packet counts if possible.
more popular rules to the top for faster traversal.
* Peephold optimiser for target representation.
Remove redundant rules. Split common subsets into separate chains
(if chaining available).
other items
-----------
* Full documentation.
administrators guide/user manual in addition to man pages.
* ICMP support
- Translate icmp names for ipfilter and cisco targets
- generate ICMP codes in iptables (y part in --icmp-type x/y)
* "Loose" option to allow not-quite-correct rulesets to run, eg.,
using forward-only with ipchains
* handle resolver errors in resolve.c
* extra iptables-like commands: user, related state have them
carry through to the generator and then have the generator discard
rulesets it doesn't like (but be aware of them)
* support sysctl tuning in iptables/ipchains (i.e. linux) targets
* rate limiting support
- "limit" keyword in iptables
* Testing and auditing of generated rulesets.
- test rig for packet filters
- user tools for testing rulesets
- diffing/merging tool for filters, compare two and report differences
or merge in all rules from a second filter into a first and report extra
rules.
* state ESTABLISHED on iptables rules for all rules
* no conntrack (i.e. designed for large fast filters) option for iptables
* reject-with for reject target in iptables
* " characters in identifiers, do they need to exist?
* forward/local specifiers in filtergen language removed. add them
back?