From nobody Tue Nov 15 21:00:48 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBdr45MhJz4hl7j for ; Tue, 15 Nov 2022 21:00:52 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NBdr44pqKz4WYW; Tue, 15 Nov 2022 21:00:52 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668546052; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GAZIbAs0YUIh8latk5TFJ2psWtmBNiIX00SsyOK6IyA=; b=AgrDUDimMmrExOww96PIovxZZSqRFXEseJz0eO0WpjHkuLrHcPxvx83tuY3ATODf9DLSOt /mzI4dH/b6Qxv1YpHO2Vv07jNV98AAQyHE6JT3hVCnqyDg0eoy1XUJOhdisAX7zJVwgoRq cvFfBK6FMuxVh63wSKpkWWj1E8R811ugpCAGm1LyOdGq6PhRT3hrNOwQmM59NyT51d+T1U BQ73jVLO2LkV5fNwgrmAhaJaMdeGRLasq2vorGLxps6ptZM597xGtuLuPWSNA/VRgOAZ2o 7ifDAgM/EWFwPX7WMl/jRjavP+swDnBNhcY4q7lv5cndyItFEvFWmrTrju3/cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668546052; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GAZIbAs0YUIh8latk5TFJ2psWtmBNiIX00SsyOK6IyA=; b=N8YL+D2SYuiOv/vWcIZGnmiFQ21NEMNpsJNcsnsrtJS84U1OgK9RVjwW6RClhH6wGiTkIX r+aMsNYc8YmV8QBvt2IVcUEXOYIY1st1Q6cuRgB/3Sq/xy6K8qNAOm5WPiL9CRhdPWQOj+ qQAnX17+zHa8ekxM+TJyO2DN6pDeDD6nwm/CviqO74TzR6gRD23lSgXg9RwFJFubg6lKnL VE4GWEZKmvM50WCJx+fKTHfaoQNiMUPlycl0F1Xp06atGaHE/aclv7nJJMjMMB2FVw3+0Q et+rQcuWhNhp0im27j1jvk8x7gIRbEq6G0TMnnWq1rdBXexYxM1uRPBNJ9GZ3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668546052; a=rsa-sha256; cv=none; b=sv8igpVB7AVJz05gjX0IWMPU0lu8Z3Ay93PR3q8k9bU/3Ew84k1n3QxD0XKk+mAeg7yf0t 3nVokF0KypTKADFe50suepjp1p/I+vsm44qkixJTFaTuBv/RHVJqRmgcf76ppFJSdiGm6q UZa2JSLUTxit4vxmV0ExWekj+SykbdtqjF4wH7MPz3x4dMqXHlGX8LwIOB/Wmbzn2FyxqJ tFY2KQGtvrtbOt82R8jGtuyDtR3TC4KajPljKC+T/WTVIr1blV00CIKbEORIl1AJ3IM70Q Xy7mSo1aLmFMfn4/z9rM8v4JV5w4GeGeoNRfq/4v2fcdE9k/ZbKXAiB2KpfDEw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4NBdr431tVzhsm; Tue, 15 Nov 2022 21:00:52 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id B75EC3D47F; Tue, 15 Nov 2022 22:00:49 +0100 (CET) From: Kristof Provost To: void Cc: freebsd-hackers@freebsd.org Subject: Re: pf options in kernel Date: Tue, 15 Nov 2022 22:00:48 +0100 X-Mailer: MailMate (1.14r5918) Message-ID: <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org> In-Reply-To: References: List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ThisMailContainsUnwantedMimeParts: N On 15 Nov 2022, at 21:47, void wrote: > Is there any advantage to having > device pf > options PF_DEFAULT_TO_DROP > > built into the kernel, over having > > "set block-policy drop" in /etc/pf.conf and "pf_enable=3D"YES"" in /etc= /rc.conf?0 > Configure this in your pf.conf file, not as a kernel option. There=E2=80=99s at least one known bug with PF_DEFAULT_TO_DROP: https://b= ugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237477 As a general rule you should avoid custom kernel options whenever it=E2=80= =99s remotely possible. Kristof