- get rid of duplicated code in init-script:
      if test "$found_active" -a "$found_inactive"; then
      eval found_$rule=1

- First prio: check Documentation for support for unprotecting an interface:

- /etc/init.d/uruk flush does not flush nat nor mangle table.  This means
force-reload breaks when these tables are in use.  See comment near initd_flush.
Fix this, and accept the introduced cruft.   Tnx Wessel.

- Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for
obsolete syntax

----------------- end of candidates for upcoming release ------------------
----------------- stuff which just might happen one day -------------------

- use functions
   log_daemon_msg
   log_end_msg
   log_action_msg
in init-script, see e.g. firehol init script

- Thu 20 23:13 < fvos> joostvb: ik zou de huidige rc graag gesplitst zien in 
                     meerdere losse bestanden, bijvoorbeeld 'networks', 
                     'sources' en zo. Daardoor kunnen de entries in die 
                     bestanden ook eenvoudiger namen hebben en is misschien 
                     kwaliteitscontrole op missende verwijzingen ook 
                     eenvoudiger.
Fri 21 05:37 < joostvb> fvos: een syntax-checker zou inderdaad wel handig zijn 
                        ja

- Phase out support for rc_e

- Debian package: S40uruk could better be S41uruk: explicitly start after
networking (which is S40networking).

- We setup firewall rules only _after_ the network interfaces are configured.
This is dumb: we are vulnerable for bugs in the kernel's IP stack.  One
solution for this: Create an /etc/init.d/uruk-pre script, which is run as early
as possible, and _before_ network interfaces are configured.  It should disable
all networktraffic (except for traffic on loopbackinterface).  Only later,
networkinterfaces are configured, /etc/init.d/uruk is run and networkservices
are started.  (N.B.: so even with the current setup we _do_ protect our
services).

- In uruk-rc manpage, include example rc-file verbatim.  Include license text.

- Create "upload" target in /Makefile.am

- Improve examples in documentation:
<Fruit> joostvb: ik geloof dat ":" een leuke shorthand is voor "alle poorten"

- Fix bugs in uruk script: (force-)reload should do something sane when
uruk not running.

- Check documentation: uruk-rc manpage needs more stuff.

- Perhaps we need an uruk-init manpage, for the init script.

- Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools
can use the same rc file format.  We'd also have to make sure init-script
works on non-LSB-systems, then.

- Reimplement uruk-save: make it more robust.  See
http://www.faqs.org/docs/iptables/iptables-save.html for example of file
format.  Use logic from iptables-save.c.

- Think about alternative for uruk-save: create a chain, and enable it once it's
fully build by doing just one iptables call.  This would allow truly atomical
loading of new rulesets.

- Is it sane to allow all traffic in default inactive rule?

- Check save_counters support in init script.  It's likely broken.

- Date: Wed, 9 Feb 2005 15:09:16 +0100
Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl>
Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet.
.
alternative implementation: near code-snippet:
 # supporting this for multiple-ips would need multiple chains
 # or, perhaps, some iptables extension.
This log-spamming happens only in multiple-ip-per-nic mode.
Do DROP stuff just before log, would that work?  (No, we really can't do
something like "--dest !(ip1 or ip2 or ip3)".)
.
yet to implement: loglevel "high".  Document multiple ip per nic logspamming bug.

- Finish IPv6 support.  Change to enabled-by-default.  Document it.

# this file maintained using arch at http://arch.gna.org/uruk/
