Martin Husemann <martin%duskware.de@localhost> writes: > On Tue, Dec 01, 2020 at 09:37:05AM -0500, Greg Troxel wrote: >> So which of these is a bug? >> - that bpfjit is not compiled in >> - that there isn't a way to load modules that are signed, even at >> higher securelevel >> - that the big scary warning is printed >> - something else? > > None? > Suggested workaround: put it in /etc/modules.conf > > That should cause it to be loaded before securelevel rises. Indeed, I have already put it in modules.conf, and that works. I think it's a bug that using the standard firewall with the default config leads to lower performance (or so it says) and a big scary warning that is easily misinterpreted as "your firewall did not get enabled due to this module error". I don't see why part of npf is built in and the other part isn't. If bpfjit is truly optional and not a big deal then maybe npfctl should just not load it, so that it's used if loaded explicitly.
Attachment:
signature.asc
Description: PGP signature