I think it's very telling that all the people arguing back are using ipf, not pf. I suspect anyone that was using pf on NetBSD is no longer using NetBSD. I certainly saw people ragequit NetBSD after their obviously remotely exploited bug reports were ignored. We can't keep having this minefield for unsuspecting users.