If you revert it to the old behavior, I will be at LEAST mildly annoyed.
   With the previous behavior, every packet was passed through the
   filter rule checker even if no rules had been loaded, and the user
   had no intention of loading them.  That's a _bug_.  Also, the calling
   convention of the initialization routine was wrong.  That's a _bug_.

i'll grant the second -- it certainly was a bug.

however, i don't buy the first, simply because of historical reasons.
ip-filter has always worked this way.  if -we- change how it works,
we introduce an unnessecary incompibility with the rest of the world's
ip-filter using population.  if a user includes the ipfilter device
and doesn't use it, they can turn it off.  granted, this isn't nice,
but it's -far- nicer than tripping up people who have used ip-filterfor
the past 3+ years on other systems, or even netbsd, who don't expect
this behaviour.  i hate sun for "ping -s".

there are arguments about users running GENERIC kernels and wondering
why networking does not work.  ipfilter does _not_ belong in a GENERIC
kernel, IMO.
   
   If you want the behavior you describe, _please_ implement it as
   a kernel compile option, like:
   
   options 	IPF_EARLY_ENABLE	# ipf enabled early, no "ipf -E" req'd.

i'd very much support this option, given that it's sense was reversed
(eg, IPF_NO_EARLY_ENABLE).  all i really care about is not having
ip-filter in NetBSD being different to ip-filter everywhere else.


.mrg.