import ipfilter 4.1.8 into the vendor branch

1 files changed, 23 insertions, 23 deletions

diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo
index 4c2adf1..5b2c059 100644
--- a/contrib/ipfilter/todo
+++ b/contrib/ipfilter/todo
@@ -7,9 +7,14 @@ fastroute works
 GENERAL:
 --------
 
+* support redirection like "rdr tun0 0/32 port 80 ..."
+
 * use fr_tcpstate() with NAT code for increased NAT usage security or even
   fr_checkstate() - suspect this is not possible.
 
+* add another alias for <thishost> for interfaces <thisif>? as well as
+  all IP#'s associated with the box <myaddrs>?
+
 time permitting:
 
 * load balancing across interfaces
@@ -17,21 +22,13 @@ time permitting:
 * record buffering for TCP/UDP
 
 * modular application proxying
-available
+-done
 
 * allow multiple ip addresses in a source route list for ipsend
 
-* complete Linux port to implement all the IP Filter features
-return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(
-on hold until rewrite
-
-* add a flag to automate src spoofing
-done
+* port IP Filter to Linux
+Not in this century.
 
-* ipfsync() should change IP#'s in current mappings as well as what's
-  in rules.
-done
- 
 * document bimap
 
 * document NAT rule order processing
@@ -43,22 +40,23 @@ in progress
 XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
 traffic priorization) should be *TOP* in the TO DO list.
 
-* irc proxy for dcc
 * Bandwidth limiting!!!
+maybe for solaris, otherwise "ALTQ"
 * More examples
 * More documentation
-* And did I mention bandwidth limiting???
 * Load balancing features added to the NAT code, so that I can have
 something coming in for 20.20.20.20:80 and it gets shuffled around between
 internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
 - done, stage 1 (round robin/split)
 The one thing that Cisco's PIX has on IPF that I can see is that
 rewrites the sequence numbers with semi-random ones.
+- done
 
 I would also love to see a more extensive NAT.  It can choose to do
 rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
 module already have functionality for that and it just needs support in
 the userland ipnat?)
+-sort of done
 
         * intrusion detection 
                 detection of port scans 
@@ -76,23 +74,25 @@ the userland ipnat?)
                 large packets of garbage or other packets to
                 otherwise confuse the intruder (ping of death?)
 
-* I ran into your solaris streams stuff and noticed you are
-playing with mblk's in an unsafe way.  You seem to be modifying the
-underlying datab without checking db_ref.  If db_ref is greater than one,
-you'll need to copy the mblk,
-- fixed
-
-* fix up where manual pages go for Solaris2
-
-
 IPv6:
 -----
 * NAT is yet not available, either as a null proxy or address translation
 
 BSD:
 * "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
-fixed.
 
 Solaris:
 * "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
 
+Tru64:
+------
+* IPv6 checksum calculation for RST's and ICMP packets is not done (there
+  are routines in the Tru64 kernel to do this but what is the interface?)
+
+does bimap allow equal sized subnets?
+
+make return-icmp 'intelligent' if no type is given about what type to use?
+
+reply-to - enforce packets to pass through interfaces in particular
+combinations - opposite to "to", set reverse path interface
+