I'm a little concerned that netbsd-current requires an explicit "ipf -E"
to enable filtering.  In the past, it would either initialise when loaded
as an LKM or when the kernel went through initialising bits and pieces.

The actual purpose (if I recall correctly) of adding -D/-E was to provide
a way of disabling IP Filter without unloading it (i.e. if securelevel was
integrated into this, it would allow neither -D or -E) when compile into the
kernel.

Previously when compiled into the kernel, it was active by default (which
was intended) and packets would be subject to the compiled default until
filter rules were loaded.  The same would also happen when compiled as an
LKM (enabled upon loading).  The requirement for doing an "ipf -E" seems,
to me, superfluous and inconsistant (no, I don't like the idea of needing
to do it either).

Looking at netstart, if you wanted to be perfect, combined with being
already enabled in the kernel, you would do:

ipf -If /etc/ipf.conf -s -Fa

I know the previous behaviour was considered "buggy", but I can't say that
I've seen any problems.

Comments ?

Darren