-- how to convert other packet filters to npf
-- have a way to use npflog to log packets to syslog
-- have a way to match dropped packets to rules
-- have a way to list the active nat sessions
-- npfctl start does not load the configuration if not loaded.
   It is not clear you need to reload first. Or if it loads it should
   print the error messages. Or it should be called enable/disable since
   this is what it does. It does not "start" because like an engine with
   no fuel, an npf with no configuration does not do much.
-- able to specify interfaces before they are created
-- docs/examples out of date
-- npf starts up too late (after traffic can go through)
-- need libpcap in /
-- although the framework checks the file for consistency, returning EINVAL
   for system failures is probably not good enough. For example if a module
   failed to autoload, it is probably an error and it should be reported
   differently?
-- npf algorithms like icmp, are loaded via modules. Perhaps it is better
   to have some config magic to autoload it instead of needing to run a
   module command.

ok npf and dependent modules should autoload automagically as they are used
ok have a way to register cloners? through a mapping file? consistently naming
   the cloner modules? if_cloner? Split if_npflog from the ext_log module and
   added autoloading for cloners.
ok normalise -> normalize (the official project language is US/English)
ok modules should move from /usr/lib to /lib
ok parse dynamic map rule properly inet4($ext_if) does not work
ok create npflog interface automatically
ok need to bring interface npflog up
ok parse 'port "ftp-data"' properly
ok fix usage
ok get better messages from the kernel when things fail: Ok with
   DEBUG/DIAGNOSTIC, you get the file/line in the kernel that failed 
   which is good enough.
ok 'ifconfig npflog0 destroy; modunload if_npflog'. Remove dependency
   on npf_ext_log module, since if_npflog can load and unload independently.