On Tue, Jun 05, 2007 at 07:46:01AM +0300, Martti Kuparinen wrote:
> Bernd Ernesti wrote:
> >Did you try to only load the LKM without enabling ipfilter in /etc/rc.conf?
> 
> Yes.
> 
> ROOT n106:~> ipf -V
> ipf: IP Filter: v4.1.22 (396)
> open device: Device not configured
> 
> ROOT n106:~> modload /usr/lkm/if_ipl.o
> Module loaded as ID 0
> 
> ROOT n106:~> ipf -V
> ipf: IP Filter: v4.1.22 (396)
> Kernel: IP Filter: v4.1.22
> Running: yes
           ^^^

And that is the 'problem' with this kind of change.
Loading the lkm with this change enabled ipfilter at load time.

Going back to my emails nearly 10 years ago which I send to Darren:

- ip_fil.[ch]: ipfilterattach is really a dummy function on NetBSD, see the
  comment in it. iplattach is called by the pseudo-device attach which is
  wrong for the usage of its function so we fixed it with renaming it to
  ipl_enable and then ipldetach to ipl_disable to be consistent with the
  function names. 

Where the comment was:

!       /*
!        * Do nothing here, really.  The filter will be enabled
!        * by the SIOCFRENB ioctl.
!        */


> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
> Feature mask: 0x103
> 
> ROOT n106:~> modstat
> Type    Id   Offset Loadaddr Size Info     Rev Module Name
> DEV       0  -1/44  ccba0000 0084 ccbbc9a0   2 IP Filter: v4.1.22
> 
> >Is ipfilter still disabled in this configuration?
> 
> Oh, you are right. The module doesn't work for me...

What do you mean here? I meant to say that loading the lkm should not
automatically enable it. So it would be work the same way as we do
with the in kernel version.

Bernd