Hello, David!
 >> Another point - you can upgrade ipfilter stuff without rebooting,
 >> it is useful in situations where minimum downtime is possible.

 >> PFIL_HOOKS does not add much functionality to the kernel and
 >> I always turn this on on every box.

 DWC> I think you are missing his point though.  Some people kldload
 DWC> ipl.ko  because they don't want to recompile their kernel.  IF
 DWC> they recompile  it with PFIL_HOOKS might as well do ipfilter at
 DWC> the same time.

No, David. I understand it.

For those who load modules dynamically because they don't want
to recompile kernel this is not a solution.

My practice is to load modules dynamically to share the same kernel
between several boxes. One of this PCs works as a firewall, another
one serve my personal CVS repository and works as a test box (there are
other machines running -CURRENT and virtually all use the same kernel
and modules).

Some time ago I tried to upgrade IPFilter on the fly (kldunload &&
and it worked like a charm.

It is an endless discussion, and I really don't want to continue.

I wrote a letter because I disagree with Crist J. Clark

>  CJC> Both. If you are getting an 'Exec format error,' there is
>  CJC> something wrong at your end. However, ipl.ko has been broken in
>  CJC> CURRENT for a "long time" (over a year at least) and will not
>  CJC> load (albeit with a different error message).

No, ipl.ko is not broken. It depends on pfil(9).

Sincerely yours,
Sergey Mokryshev.

