1BUGS:
2-----
3* fix "to <ifname>" bug on FreeBSD 2.2.8
4fastroute works
5
6===============================================================================
7GENERAL:
8--------
9
10* support redirection like "rdr tun0 0/32 port 80 ..."
11
12* use fr_tcpstate() with NAT code for increased NAT usage security or even
13  fr_checkstate() - suspect this is not possible.
14
15* add another alias for <thishost> for interfaces <thisif>? as well as
16  all IP#'s associated with the box <myaddrs>?
17
18time permitting:
19
20* load balancing across interfaces
21
22* record buffering for TCP/UDP
23
24* modular application proxying
25-done
26
27* allow multiple ip addresses in a source route list for ipsend
28
29* port IP Filter to Linux
30Not in this century.
31
32* document bimap
33
34* document NAT rule order processing
35
36* add more docs
37in progress
38
393.4:
40XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
41traffic priorization) should be *TOP* in the TO DO list.
42
43* Bandwidth limiting!!!
44maybe for solaris, otherwise "ALTQ"
45* More examples
46* More documentation
47* Load balancing features added to the NAT code, so that I can have
48something coming in for 20.20.20.20:80 and it gets shuffled around between
49internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
50- done, stage 1 (round robin/split)
51The one thing that Cisco's PIX has on IPF that I can see is that
52rewrites the sequence numbers with semi-random ones.
53- done
54
55I would also love to see a more extensive NAT.  It can choose to do
56rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
57module already have functionality for that and it just needs support in
58the userland ipnat?)
59-sort of done
60
61        * intrusion detection 
62                detection of port scans 
63                detection of multiple connection attempts
64                
65        * support for multiple log files
66                i.e. all connections to ftp and telnet logged to 
67                        a seperate log file
68
69        * multiple levels of log severity with E-mail notification
70                of intrusion alerts or other high priority errors
71
72        * poison pill facility
73                after detection of a port scan, start sending back
74                large packets of garbage or other packets to
75                otherwise confuse the intruder (ping of death?)
76
77IPv6:
78-----
79* NAT is yet not available, either as a null proxy or address translation
80
81BSD:
82* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
83
84Solaris:
85* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
86
87Tru64:
88------
89* IPv6 checksum calculation for RST's and ICMP packets is not done (there
90  are routines in the Tru64 kernel to do this but what is the interface?)
91
92does bimap allow equal sized subnets?
93
94make return-icmp 'intelligent' if no type is given about what type to use?
95
96reply-to - enforce packets to pass through interfaces in particular
97combinations - opposite to "to", set reverse path interface
98
99