enami (enami@cv.sony.co.jp) writes:

Lennart Augustsson <augustss@cs.chalmers.se> writes:

> Has anyone verified that the new IP filter code can actually
> do NAT?

It works at least for me.  I'm using NAT on NetBSD machine with
running -current of a few days ago.

>Did you enabled ip filter by command `/sbin/ipf -E'?  Since the bug
>that pseudo device attach routine errounously called ip filter attach
>routine and as a result always ip filter was enabled is fixed, now we
>have to enable ip filter explicitly.

Having to explicitly turn ip_filter *on* is a bug, in some environments.
I've used ip_filter to build firewalls, and I really *liked* the
feature that if you configure in ipf statically, the kernel comes up
with everything disabled until you add in filter rules.

I can see how someone using ifp to reduce insecurity of diskless
or dataless machines on  a network wouldn't like that feature:
you might need  network acess to insert filters to turn *any* network
access on. 

So, can we get an option to add the ``bug'' back in, for those who
want it?