TODO




pgld:

  - implement "long run whitelisting concept" (see "All components" below").
    This has to be done first in pgld, then in pglcmd and then in pglgui.

  - add option to search for a specified IP in a blocklist:
    pgld -f IP BLOCKLIST
    if IP is found in the BLOCKLIST: return 0 and output the matching range(s).
    if IP is not found: return 1
    when implemented, adapt "pglcmd search"

  - replace NIPQUAD (removed from kernel 2.6.36) (Note: still works on 3.2)

  - improve logging: object org/netfilter/pgl/IpMatch consisting of separate
    items (srcip, srcport, destip, destport, proto, description) instead of a
    plain string. Use this with dbus, adapt pglgui when implemented.

  - make length of range description configurable (with LOWMEM:=range=0)

  - send total of blocked connections over dbus (then show it in pglgui)




pglcmd:

  - update dependency, cf. to apt:
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed.
//Unattended-Upgrade::Mail "root@localhost";
//Unattended-Upgrade::MailOnlyOnError "true";

  - implement "long run whitelisting concept" (see "All components" below").
    This has to be done first in pgld, then in pglcmd and then in pglgui.

  - search function:
    requires search function in pgld, see above.
    Use this function instead of grep'ping for REGEX.

  - FIX: since 2011-08-11 I get system mails claiming I tried to send a mail
    without recipient. Seems to be related at least to "restart".

  - FIX: on stop (and probably other commands), only dump/reset stats once

  - nice: on CentOS it is required to use e.g. "+5". Find solutions suiting all
    distros.

  - use "ip addr" instead of "ifconfig":
    see http://jengelh.medozas.de/2008/0219-ifconfig-sucks.php

  - add dbus support, especially for logging.
    - Completely rework the logging part, and check if all messages go where
      they should.
    - send error messages to console (STDERR 1>&2), logfile and dbus.
    - when implemented pglgui should watch for the error messages

  - add pidfiles for update and start/reload
    (prevent 2 starts at nearly the same time, but still allow a simultaneous
    start and update)

  - Send traffic to several NFQUEUE nums with --queue-balance and run multiple
    pgld instances for these nums. This might help on heavy load.
    --
    Alternatively increasing the default receive/send window seems to fix the
    problem. Add this to your system's config (you may use /etc/pgl/insert.sh
    if you don't know a better file)
        sysctl -w net.core.rmem_default=8388608
        sysctl -w net.core.wmem_default=8388608
    --
    peerguardian-devel@lists.sourceforge.net by dogg@retroject.net - 2010-04-20

  - on "stop" remove kernel modules that were inserted by pglcmd. (see dino's
    synology packaging http://forums.phoenixlabs.org/showpost.php?p=128371&postc
    ount=20). Probably disable this per default, to avoid problems.

  - fix debconf to use debian/config again.
    This stuff is currently in postinst, because otherwise debconf doesn't work
    as expected: Debconf runs twice during installation: first it asks questions
    and then it overwrites the answers with the not-yet modified configuration
    files.
    Further the debconf database is not cleared properly on purge.

  - adapt test function for peerguardian .p2b v2 binary format blocklist
    formats.

  - [DISCUSS]: if any blocklist is unavailable, should pglcmd exit (as it
    does currently, in order to give no false security), or continue but return
    an error (if one list is missing, it's still better to use at least the
    other blocklists).

  - [DISCUSS] Block IPv6 completely because currently only IPv4 is checked?




pglgui:

  [freemind]

  FIX:

  - enable "Allow Port" on right-click only for protocols TCP and UDP.

  - images/settings.png is not shown (at least under Gnome)

  - right-click whitelisting:
    tooltips are not shown (at least under Gnome)
    "Whitelist temporarily" is not explained to the user

  - show local blocklists (files in /etc/pgl/blocklists.local/) in Configure tab
    (adding them works flawlessly)

  - save some space to allow a smaller window, while "Whitelist" in the
    Configuration Tab is still visible with one line (Jerriy, 2011-10-11,
    http://ubuntuforums.org/showpost.php?p=11331774&postcount=554)

  NEW FEATURES:

  - policykit support (instead of kdesudo/gksu)
    This also solves this security problem: you can give root rights to
      "/usr/bin/gksu "sh /tmp/execute-all-pgl-commands.sh""
    But this file is writable for the user.

  - implement "long run whitelisting concept" (see "All components" below").
    This has to be done first in pgld, then in pglcmd and then in pglgui.

  - "Allow temporarily" on right-click in the log of blocked IPs:
    delete the iptables rule after X minutes (as far as pglgui doesn't crash,
    otherwise live with it and wait for the next pglcmd restart)

  - "Details about blocked IP" on right-click in the log of blocked IPs:
    - pglcmd search IP [requires search function in pgld, see above.]

  - Window title "Blocking $X IP ranges ($Y IPs)":
    Correct long term implementation: request the data from pgld via dbus.

  - use ${BLOCKLISTS_DIR}/lists.xml to determine human friendly blocklist names
    for URLs like this: http://list.iblocklist.com/?list=ewqglwibdgjttwttrinl&fi
    leformat=p2p&archiveformat=gz
    *** Also use lists.xml to show the list description. ***

  - "Last blocklist update":
    Implement per blocklist in "Configure - Blocklist"
    (use "stat --format=%y $BLOCKLIST_DOWNLOADED | head -c 16").
    [ $BLOCKLIST_DOWNLOADED requires ${BLOCKLISTS_DIR}/lists.xml (implement
    directly in pglgui or use function LIST_URL2LIST_NAME from pglcmd.lib ]

  - pop-up warning on errors from pglcmd (e.g. blocklist is not available)
    [ Requires pglcmd dbus ]

  - show total of blocked connections (requires implementation in pgld with
    dbus)




All components:

  - long run whitelisting concept:
    * allow.p2p etc.:
      implementation pgld:
        pgld [OPTIONS] -b BLOCKLIST(S) -w WHITELIST(S)
        pgld -m -b BLOCKLIST(S) -w WHITELIST(S) > master_blocklist.p2p
        The IP ranges in the allowlists get removed from pgld's internally
        loaded blocklist/the master blocklist.
        NOTE: parser.c already has to handle lists in ipfilter.dat format. In
        .DAT there is a value which if >=128 means that the IP range is allowed.
        The current implementation is parser.c simply ignores these IP ranges.
        NOTE: the following implementation doesn't work:
        - check packets first against the allowlist, if match: do the same as
          for non-matching against blocklist
        - then check against blocklist (as currently)
        --> if IP A is in a WHITELIST and IP B is in a BLOCKLIST, then traffic
            between A and B is not blocked in FWD (checks saddr and daddr, thus
            it matches A in any case), but blocked in IN (if B is saddr) and OUT
            (if B is daddr).
      implementation pglcmd:
        - remote whitelists automatically updated (URLs in allowlists.list)
        - local whitelists (in folder allowlists.local).
        - remove variables ALLOW_[IN|OUT|FWD]
    * WHITE_IP_[IN|OUT|FWD]:
      user defined IP whitelistings on a per chain basis. May appear in a remote
      whitelist today, but not tomorrow. Are managed through iptables.
      (keep current implementation).

  - use dbus for communication between components. Especially for logging
    events, instead of parsing the logfiles. [partly done]
    change naming to e.g. org/pgl/pgld/...

  - use inotify (available since Linux kernel 2.6.13) to reload after
    configuration change.

  - use e.g. notification-daemon to notify about errors.

  - automatic documentation, use e.g.
    doxygen (creates doc from source)
    doconce (markup language for several output formats).

  - fix/update license headers of pglgui (including autotools/m4 files) and
    pgld. use new debbian/copyright format.

  - cppcheck --enable=all ./

  - coccinelle
    automatically analyze and rewrite C code
    https://lwn.net/Articles/315686/




Buildsystem:

  - add check in configure.ac to prevent building the GUI while LOWMEM is
    enabled.

  - check if each component can be built separately




Packaging:

  - add LOWMEM and NODBUS flavor packages

  - build for other arches with qemubuilder
    test OpenSUSE build service

  - add debtags to debian packages

  - Use dpkg-buildflags to add disable_zlib to PGLD_CPPFLAGS for Ubuntu Lucid
    (instead of disabling it in the git branch).




Web:

  - Use the default sourceforge project website template for
    [DONE] http://peerguardian.sourceforge.net/ and
    [TODO] http://moblock-deb.sourceforge.net/
    This template gives all relevant project links and shows the news entries.

  - All other contents can then be added to the wiki of
    peerguardian.sourceforge.net:
    [TODO] create wiki at peerguardian.sourceforge.net
    [TODO] add contents based on https://help.ubuntu.com/community/MoBlock
    [TODO] add information for new developers, short git intro
    [TODO] add contents from wiki.phoenixlabs.org (see archive.org), especially
           the official blocklist specifications.
