>Number:         7264
>Category:       kern
>Synopsis:       kernel examples that include ipfilter should inlucde IPFILTER_LOG
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 27 09:35:01 1999
>Last-Modified:
>Originator:     Greg A. Woods
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Release:        NetBSD-current Fri Mar 26 08:25:14 EST 1999
>Environment:

>Description:

	All kernels, particularly "GENERIC" configurations, which
	include "pseudo-device ipfilter" should also include the most
	useful "options IPFILTER_LOG".

	A commented out "#options IPFILTER_DEFAULT_BLOCK" might also be
	added too.

	(Actually I've always thought IPFILTER_LOG should be the default
	and there should only be a little used _NOLOG option for those
	peple who really know what they are doing and who really know
	that they don't need/want the logging feature to work.  In any
	case this is certainly something that's very surprising to find
	missing from a "GENERIC" kernel that's got ipfilter in it.)

>How-To-Repeat:

	fgrep -i ipfilter /usr/src/sys/arch/*/GENERIC

>Fix:

	edit all configs to make things a bit more consistent and
	complete.

	(only amiga, sparc64k and x68k are complete now)

	consider adding ipfilter to the GENERIC configurations for those
	architectures that don't yet have it turned on by default
	(arm32, newsmips, sun3)

	I have also been working on some patches for ipmon so that it
	would print and/or log a message and perhaps die to indicate
	that logging wasn't enabled instead of just sitting there like a
	big dummy and saying nothing, but they're not ready yet.
>Audit-Trail:
>Unformatted: