I have been testing blacklistd today. It works nicely, but one thing I don't understand is whether or not the bpfjit module is needed.
I have securelevel=1 in rc.conf. To load the module early, before securelevel gets raised, I added bpfjit to /etc/modules.conf, and then "set bpf.jit on;" in npf.conf. However, when I reload npf rules I get the following complaint: npfctl: error loading the bpfjit module; performance will be degraded: Operation not permitted npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf So I set bpf.jit off instead, and blacklistd continues to work fine. I presume bpf.jit is not really necessary for blacklistd to work properly?