-
Notifications
You must be signed in to change notification settings - Fork 4
/
TODO
107 lines (84 loc) · 3.46 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# $NetBSD: TODO,v 1.2 2021/03/07 00:46:39 christos Exp $
- don't poll periodically, find the next timeout
- use the socket also for commands? Or separate socket?
- add functionality to the control program. Should it change the database
directly, or talk to the daemon to have it do it?
- perhaps handle interfaces too instead of addresses for dynamic ip?
<bge0/4>? What to do with multiple addresses?
- perhaps rate limit against DoS
- perhaps instead of scanning the list have a sparse map by port?
- do we want to use libnpf directly for efficiency?
- add more daemons ftpd?
- do we care about the db state becoming too large?
- instead of a yes = bump one, no = return to 0 interface, do we want
to have something more flexible like?
+n
-n
block
unblock
- do we need an api in blocklistctl to perform maintenance
- fix the blocklistctl output to be more user friendly
- figure out some way to do distributed operation securely (perhaps with
a helper daemon that authenticates local sockets and then communicates
local DB changes to the central server over a secure channel --
perhaps blocklistd-helper can have a back-end that can send updates to
a central server)
- add "blocklistd -l" to enable filter logging on all rules by default
- add some new options in the config file
"/all" - block both TCP and UDP (on the proto field?)
"/log" - enable filter logging (if not the default) (on the name field?)
"/nolog"- disable filter logging (if not the default) (on the name field?)
The latter two probably require a new parameter for blocklistd-helper.
- "blocklistd -f" should (also?) be a blocklistctl function!?!?!
- if blocklistd was started with '-r' then a SIGHUP should also do a
"control flush $rulename" and then re-add all the filter rules?
- should/could /etc/rc.conf.d/ipfilter be created with the following?
reload_postcmd=blocklistd_reload
start_postcmd=blocklistd_start
stop_precmd=blocklistd_stop
blocklistd_reload ()
{
/etc/rc.d/blocklistd reload # IFF SIGHUP does flush/re-add
# /etc/rc.d/blocklistd restart
}
blocklistd_stop ()
{
/etc/rc.d/blocklistd stop
}
blocklistd_start ()
{
/etc/rc.d/blocklistd start
}
or is there a better way?
- figure out some way to do distributed operation securely (perhaps with
a helper daemon that authenticates local sockets and then communicates
local DB changes to the central server over a secure channel --
perhaps blocklistd-helper can have a back-end that can send updates to
a central server)
- add "blocklistd -l" to enable filter logging on all rules by default
- add some new options in the config file
"/all" - block both TCP and UDP (on the proto field?)
"/log" - enable filter logging (if not the default) (on the name field?)
"/nolog"- disable filter logging (if not the default) (on the name field?)
The latter two probably require a new parameter for blocklistd-helper.
- "blocklistd -f" should (also?) be a blocklistctl function!?!?!
- if blocklistd was started with '-r' then a SIGHUP should also do a
"control flush $rulename" and then re-add all the filter rules?
- should/could /etc/rc.conf.d/ipfilter be created with the following?
reload_postcmd=blocklistd_reload
start_postcmd=blocklistd_start
stop_precmd=blocklistd_stop
blocklistd_reload ()
{
/etc/rc.d/blocklistd reload # IFF SIGHUP does flush/re-add
# /etc/rc.d/blocklistd restart
}
blocklistd_stop ()
{
/etc/rc.d/blocklistd stop
}
blocklistd_start ()
{
/etc/rc.d/blocklistd start
}
or is there a better way?