-TODO List for netfilter / iptables.
-Currently maintained by Harald Welte <>
-Please inform me, if you want to work on any of the TODO items, so I
-can update this list and thus prevent two people doing the same work.
-CVS ID: $Id: TODO,v 1.71 2003/11/06 23:20:00 laforge Exp $
-IMPORTANT issues:
-- erroneously too-fast dropped conntrack for half-open TCP connections [JK]
-- --mac-source not working in FORWARD (manpage bug?) [BZ]
-- locally bound udp port can still be used for MASQ/SNAT [BZ]
-- unaligned access of nulldevname during string match [BZ]
-- unaligned access in interface match (ip_tables core)
-- update documentation to reflect newnat
-- release iptables-1.3.0-test (with new libiptc for speedup)
-- ipv6 ldp (igmp) and ndisc bypasses LOCAL_OUT hook
-- packet counters on sparc64 platform [BZ]
-- conntrack helper not called for first packet (udp!)
-- different behaviour for first packet towards an l2-unresolved ip?
-NICE to have:
-- sysctl support for ftp-multi, irc-conntrack/nat, ftp-fxp [BZ]
-- port conntrack to IPv6 (code reuse?)
-- ip_nat_ident module [BZ]
-- make iptables / ip6tables use the same codebase (as libiptc) [KA]
-- libipq reentrancy [JM]
-- compiling without O2 issue [BZ]
-- libipq runtime version, do before 1.2.5 [JM]
-- l3 independent ip_queue / ULOG (2.6)
-- add support for IRC tracking in opposite direction
-- Find mirrors for domains
-- example section on homepage
-- searchable mailinglist archives
-- faq-o-matic system
-FUTURE extensions:
-- dealing with fragmented expectation-causes (i.e. DCC chat split
- over two packets, etc.)
-- conntrack / nat failover [HW]
-- unified nfnetlink for queue,ulog,conntrack (and more?) (2.5 issue)
-Userspace queuing for 2.5:
-- Integration with nfnetlink.
-- Multiple queues per protocol.
-- Netlink broadcast support.
-- Allow multiple reader/writers in userspace.
-- How to handle multiple protocols (e.g. use separate queue handlers
- or a multiplexer like ipqmpd).
-- Peformance improvements: multipart messages, mmaped socket (possibly).
-- Simplify queuing logic, which is quite ugly at the moment. (BC suggested
- removing logic from kernel).
-- Allow userspace to set nfmark.
-- Allow userspace to set queue length etc.
-- Possibly pass conntrack/NAT info to userspace with packet.
-[BC] Brad Chapman <>
-[HW] Harald Welte <>
-[JK] Jozsef Kadlecsik <>
-[JM] James Morris <>
-[KA] Kiz-Szabo Andras <>
-[RR] Paul 'Rusty' Russel <>
-[BZ] Included in Bugzilla System