NPF tasklist
Last update: 18 January 2019
Description Priority Responsible Complexity Status
Implement options to tune certain NPF parameters, e.g. connection state timeouts, limits, strict RST for stateful TCP filtering, etc. Could use sysctl(9) but currently its interface is quite awful. high rmind low DONE
npfctl: support variables and inline sets which contain both the IPv4 and IPv6 addresses, for example:
	$ext_if = { inet4(wm0), inet6(wm0) }
high TBD medium -
Workaround the limit on number of rules (and state size); this is not an NPF limitation, but a buffer size limit in proplib. The longer fix is to replace proplib (see the architecture section). Meanwhile, there needs to be a workaround -- bump the size/limit to e.g. 4 MB? high christos low DONE
npfctl: support inline blocks with different types of data in the rule. This will require a clean-up of the type system in npfctl parser, since it is currently a bit of a mess. Examples:
	pass in from all to { inet4(wm0), $some_var,,  }
	pass in final proto tcp to port { 161, 162 }
	pass in final proto { tcp, udp } to port 53
Missing: multi protocols (more difficult).
medium rmind medium MOSTLY DONE
npfctl: protocol support for NAT, e.g.:
	map vlan11 dynamic $local_ip port 3389 <- $ext_ip proto tcp port 54321
medium rmind low DONE

Features (do not require architectural changes)
Description Priority Responsible Complexity Status
Support for dynamic interface address handling. high rmind + christos medium DONE
Implement npfd(8) daemon which, for now, dumps from npflog interfaces into a file. It may in the future be extended to do other tasks, e.g. perform state replication. medium christos + rmind medium DONE
Add an extension to support source routing / re-routing of packets. See: medium TBD medium -
Integration with ALTQ as an intermediate solution. In the long term, we should implement a better QoS mechanism as part of NPF. Meanwhile, NPF can integrate with ALTQ quite easily using the mbuf tags. medium TBD medium -
Finish up the support for the dynamic NAT rules. Some work is already done, but requires completion and testing. medium rmind medium DONE
Support for dynamic NAT with address poll (think of stateful M:N mapping). In iptables/netfilter land known as NETMAP. low rmind medium DONE
Support for NAT64 i.e. the protocol translation. low TBD medium -
Implement ftp-proxy forward proxy support (for active FTP client behind NAT). This requires dynamic NAT work described above. low TBD medium -
Patch Squid proxy to support transparent-proxy with NPF: just an ioctl call to perform a state lookup? low TBD low -

Description Priority Responsible Complexity Status
Extra measures to prevent from SYN flood attacks, e.g. accelerate connection expiration on low memory or after certain threshold. The timeout can also be self-balancing. medium TBD low -
Need to mitigate against blind reset attack using SYN (see RFC 5961). medium TBD low -
For fun: consider some experimentation to use bloom filters against certain DoS attacks. low TBD medium -

Bugs and misc
Description Priority Responsible Complexity Status
Investigate and fix the IPv6 reassembly (there is a memory leak). medium TBD low -
Fix "stateful-all" to handle the interfaces correctly. medium rmind low DONE
Use nbuf_ensure_writable() where appropriate. low TBD low -
Minor TCP FSM investigation: should it be not allowed to immediately re-open the connection after RST or FIN? low TBD low -
Add support for MiniUPnP (see web page). low TBD medium -
Consistent `npfctl show' output with rule syntax. Difficult/messy because rules are compiled into the byte-code. low TBD high -

Architectural changes / long-term features
Description Design/plan/result
Replace proplib with a better library, using a binary serialisation format and just sane API. DONE
Implement NPF rules as a single large BPF program, instead of providing BPF byte-code per each rule. In combination with BPF JIT compilation, such approach would significantly improve the performance of very large rulesets. Problems: BPF byte-code limitations; we can either extend the byte-code or workaround them. TBD [rmind]
Multiple rule matching to call the rule-procedures or a suitable design alternative to that. TBD [rmind]
Replace hashed red-black trees used for the state table. It has a quite high overhead and does not scale well with many cores and *huge* number of concurrent connections. There is a standalone NPF user who simulated *millions* of concurrent connections with a state, using lockless Cuckoo hashing for the state table. DONE
Implement ipchains-like feature to support nested rules and sharing of a rule group. NPF already supports nested rules. Unresolved questions are: 1) what kind of complexity of rule chains do we want to support, e.g. a directed graph with loop resolution or more strict hierarchy which does not allow jumping up the chain? 2) syntax in npf.conf file. TBD [rmind]
Redundancy and load balancing: initially, add state replication and replace in-kernel CARP/VRRP with a userlevel daemon. Note: we probably want to eliminate proplib in NPF before doing this. TBD [rmind]
QoS: rate limiting, traffic shaping, prioritising. Question: how much of this should be a part of the packet filter and how much of the network stack (merely involving some integration with the packet filters)? TBD [rmind]
Layer 2 filtering for NPF. Should be supported as a separate class of groups i.e. group layer=2 { ... } which may set mbuf tags to be parsed at layer 3. npf_layer2.txt
Support for tuples in tables: address and port, as well as just port. TBD [rmind]