$Id: TODO,v 1.36 2002/01/11 08:05:54 jmorris Exp $

Selopt TODO list.

Userspace:
- Flask policy for tools.
- Security context mapping daemon (scmpd).
   - need to test with multiple SIDs per message.
   - allow debug() to be compiled out.
   - bug: pt add name doesn't always insert the correct IP address.
     (e.g. 72.114.166.206/5 for 'hostname' sometimes).
   - control socket, pid file, make a proper daemon
   - consolidate headers
- queue dump & flush.
- Documentation:
    - *scmp draft
      - add specific error codes for unrecognised security contexts and SIDs (from sds).
    - overview
    - options processing
    - APIs
    - man pages
    - move current readme text to informal-overview
- Dissectors for tcpdump and ethereal.
- Library versioning.
- Bug: flmon is reporting 2x perimtab flushes, one for kernel and one for pt.

Kernel:
- Coalesce packet queue?  Worst case is the time taken for the first mapping to be 
  returned via scmp compared to how fast the queue is emptied.
- Make sure bogus scmp map responses can't break kernel cache.
- Bug: does not build with modular selinux-obj (new kbuild coming anyway).
- Bug: scmpd local cache doesnt seem to work if selopt asks again for same
  entry (e.g. after reload of module).
- Audit selopt module unload.
- Export inet ksyms (email davem once code is released).
- Handle defragmentation.
- Finer-grained netlink policy.
- Don't allow sockopt/raw/cmsg override of options [should be ok, but needs to be audited].
- More ICMP error reporting for labeling errors.
- ICMP labeling.
- DoS protection.
- TCP resets.
- Handle policy change (local and remote).
- Handle encap & decap hooks.
- Verify syncookies ok.
- Performance improvements: better data structures, reduce lock contention etc.
- Maping cache:
  - Count dropped packets.
  - Handle map invalidation.
  - Garbage collection.

General:
- Add kernel config help.
- Per-peer map dumps.
- Implement policy and new checks for labeled networking.
- Stop systems outside the perimeter from determining if we are using labeling (hard).
- Performance analysis.
- Bind perimeters to local interfaces.

