On Mon, Jun 16, 2025 at 07:49:08AM -0600, Theo de Raadt wrote:
> >     the idea is the dhcp/bootp traffic for client should be covered by 'pass
> >    all' rule.  the semi-working diff is attached for reference.
> 
> I worry quite a lot about this proposal since it presumes people have
> written their pf.conf files according to a particular style.
> 
> Anyone using dhcpd and a hand-written pf.conf is have a pretty bad time
> with this, and I do not believe forwarn communication will change
> anything.
> 
> As a second point, I think the components of the solution are very
> complicated compared to the existing bpf approach.

I think dhcp client with UDP sockets needs too many changes in the
network stack.  Server dhcpd with UDP sockets may work as dlg@
shows.  In both cases I see no real benefit in switching.  The old
implementation works, especially with pf.

Nevertheless I would not oppose a change in pf that makes writing
rules for dhcp easier.  If sashan@ can implement some magic that
covers all cornercases for dhcp to match request and respond, I
would like to see this in pf.

We have something similar in pf for neighbor discovery.  But that
is also incomplete.  Maybe sashan@ can fix this too :-)

bluhm