TODO - external/bsd/blocklist/TODO - Netbsd-lockdoc source code (lockdoc-10.99.5-vfs-0.1)

# $NetBSD: TODO,v 1.2 2021/03/07 00:46:39 christos Exp $

- don't poll periodically, find the next timeout
- use the socket also for commands? Or separate socket?
- add functionality to the control program. Should it change the database
  directly, or talk to the daemon to have it do it?
- perhaps handle interfaces too instead of addresses for dynamic ip?
  <bge0/4>? What to do with multiple addresses?
- perhaps rate limit against DoS
- perhaps instead of scanning the list have a sparse map by port?
- do we want to use libnpf directly for efficiency?
- add more daemons ftpd?
- do we care about the db state becoming too large? 
- instead of a yes = bump one, no = return to 0 interface, do we want
  to have something more flexible like?
	+n
	-n
	block
	unblock
- do we need an api in blocklistctl to perform maintenance
- fix the blocklistctl output to be more user friendly

- figure out some way to do distributed operation securely (perhaps with
  a helper daemon that authenticates local sockets and then communicates
  local DB changes to the central server over a secure channel --
  perhaps blocklistd-helper can have a back-end that can send updates to
  a central server)

- add "blocklistd -l" to enable filter logging on all rules by default

- add some new options in the config file

	"/all"	- block both TCP and UDP (on the proto field?)

	"/log"	- enable filter logging (if not the default) (on the name field?)
	"/nolog"- disable filter logging (if not the default) (on the name field?)

  The latter two probably require a new parameter for blocklistd-helper.

- "blocklistd -f" should (also?) be a blocklistctl function!?!?!

- if blocklistd was started with '-r' then a SIGHUP should also do a
  "control flush $rulename" and then re-add all the filter rules?

- should/could /etc/rc.conf.d/ipfilter be created with the following?

	reload_postcmd=blocklistd_reload
	start_postcmd=blocklistd_start
	stop_precmd=blocklistd_stop
	blocklistd_reload ()
	{
		/etc/rc.d/blocklistd reload	# IFF SIGHUP does flush/re-add
		# /etc/rc.d/blocklistd restart
	}
	blocklistd_stop ()
	{
		/etc/rc.d/blocklistd stop
	}
	blocklistd_start ()
	{
		/etc/rc.d/blocklistd start
	}

  or is there a better way?

- figure out some way to do distributed operation securely (perhaps with
  a helper daemon that authenticates local sockets and then communicates
  local DB changes to the central server over a secure channel --
  perhaps blocklistd-helper can have a back-end that can send updates to
  a central server)

- add "blocklistd -l" to enable filter logging on all rules by default

- add some new options in the config file

	"/all"	- block both TCP and UDP (on the proto field?)

	"/log"	- enable filter logging (if not the default) (on the name field?)
	"/nolog"- disable filter logging (if not the default) (on the name field?)

  The latter two probably require a new parameter for blocklistd-helper.

- "blocklistd -f" should (also?) be a blocklistctl function!?!?!

- if blocklistd was started with '-r' then a SIGHUP should also do a
  "control flush $rulename" and then re-add all the filter rules?

- should/could /etc/rc.conf.d/ipfilter be created with the following?

	reload_postcmd=blocklistd_reload
	start_postcmd=blocklistd_start
	stop_precmd=blocklistd_stop
	blocklistd_reload ()
	{
		/etc/rc.d/blocklistd reload	# IFF SIGHUP does flush/re-add
		# /etc/rc.d/blocklistd restart
	}
	blocklistd_stop ()
	{
		/etc/rc.d/blocklistd stop
	}
	blocklistd_start ()
	{
		/etc/rc.d/blocklistd start
	}

  or is there a better way?