-- how to convert other packet filters to npf
-- have a way to use npflog to log packets to syslog
-- have a way to match dropped packets to rules
-- have a way to list the active nat sessions
-- npfctl start does not load the configuration if not loaded.
   It is not clear you need to reload first. Or if it loads it should
   print the error messages. Or it should be called enable/disable since
   this is what it does. It does not "start" because like an engine with
   no fuel, an npf with no configuration does not do much.
-- npf starts up too late (after traffic can go through)
-- although the framework checks the file for consistency, returning EINVAL
   for system failures is probably not good enough. For example if a module
   failed to autoload, it is probably an error and it should be reported
   differently?
-- startup/stop script does not load and save session state
-- add algo for "with short"
-- implement "port-unr"
-- implement block return-icmp in log final all with ipopts
