TODO for filtergen

Easy:
 * Better documentation.
 * Support scripts, documentation and Makefiles for various systems.
 * Better logging options.
 * Better Makefiles.
 * Option to do all name lookups (hosts, services, ICMP)
 * Translate icmp names (at least for ipfilter and cisco)
 * "Loose" option to allow not-quite-correct rulesets to run, eg.,
   using forward-only with ipchains
 * New backend: FreeBSD ipfw

Medium:
 * Fixup and maintain the cisco and ipfilter backends
   + Cisco needs testing, negation fixes and options for
     reflexive ACLs
   + ipfilter needs testing and masq, transproxy and
     grouping support

Harder:
 * iproute2 "ip rule" backend
 * Testing and auditing of generated rulesets.

Hard:
 * Optimiser (de-pessimiser :-) for intermediate step, and also
   generated rulesets (the latter could be done with a peephole
   optimiser, I think).
 * Implement a negation unroller for filters which can't negate
   a match.  (For example, Ciscos can't say "match all but this
   host".)  This gives us negation of {}-groups, too.

   This is possible, but tiresome, and will require an optimiser
   if the generated rulesets are not to Suck.

$Id: TODO,v 1.14 2002/09/13 10:19:48 matthew Exp $