On Mon, Jun 16, 2025 at 04:09:01PM +0200, Alexander Bluhm wrote:
> On Mon, Jun 16, 2025 at 07:49:08AM -0600, Theo de Raadt wrote:
> > >     the idea is the dhcp/bootp traffic for client should be covered by 'pass
> > >    all' rule.  the semi-working diff is attached for reference.
> > 
> > I worry quite a lot about this proposal since it presumes people have
> > written their pf.conf files according to a particular style.
> > 
> > Anyone using dhcpd and a hand-written pf.conf is have a pretty bad time
> > with this, and I do not believe forwarn communication will change
> > anything.
> > 
> > As a second point, I think the components of the solution are very
> > complicated compared to the existing bpf approach.
> 
> I think dhcp client with UDP sockets needs too many changes in the
> network stack.  Server dhcpd with UDP sockets may work as dlg@
> shows.  In both cases I see no real benefit in switching.  The old
> implementation works, especially with pf.

but it doesnt work.

i didn't write the diff because i (allegedly) hate bpf or because
i was bored. i solved a problem at work that needs dhcpd to work
more like the network stack, but we already have a working network
stack.

> Nevertheless I would not oppose a change in pf that makes writing
> rules for dhcp easier.  If sashan@ can implement some magic that
> covers all cornercases for dhcp to match request and respond, I
> would like to see this in pf.
> 
> We have something similar in pf for neighbor discovery.  But that
> is also incomplete.  Maybe sashan@ can fix this too :-)
> 
> bluhm
>