>I know the previous behaviour was considered "buggy", but I can't say that
>I've seen any problems.

>From a security perspective, I think the previous behaviour of a
statically-configured ipfilter was more correct.  I don't like having
to do "ipf -E" either. I think having to do it is a bug.  If I
configure ipfilter into a kernel, ipfiltering should be on, unless
it's explicitly turned off.

maybe mktemp() is a good analogy: it *is* possible to use it safely,
but doing so requires more discipline.  Taking that discipline for
granted _is_ a security risk.

How about this for a compromise: go back to the previous "buggy" [sic]
behaviour if ipfilter is statically configured, and leave the current
behaviour for LKMs?  Using ipfilter as an LKM introduces enough
dependencies that dealing with this one too isn't much marginal cost.