On Mon, 15 Jun 2026 17:11:19 +0200
Lydia Sobot <chilledfrogs@disroot.org> wrote:

> On June 15, 2026 5:49:06 GMT+02:00, ed@groovyexpress.com wrote:
> >I had ported the Rust version a couple of months ago which I think
> >you'd be interested in since it adds flexibility in how you give
> >file and doas access to the (new) reaction user instead of giving
> >reaction root access.
> My bad, somehow missed it, nice work! I see your point regarding root
> access but I'm not sure if it's worth it to add a system user,
> especially if we perhaps develop a plugin specifically for pf later via
> the ioctl, similarly to the Linux plugin counterparts (maybe)

Giving reaction it's own user would allow admins to fully control
what reaction is and isn't able to do with doas.conf and be able
to check /var/log/secure to monitor what reaction is doing.

This is worth it because the less programs as root, the better.
It also prevents serious damage if a system were to be running
a poor configuration that would allow malicious commands to be
executed as outlined here:

https://reaction.ppom.me/good-practices/security/

As for a reaction plugin for the pf, that would require root
access which I don't think its worth it. I've never seen
performance issues with reaction besides on startup because the
current default configuration manually adding an IP one at a
time.