In some email I received from Luke Mewburn, sie wrote:
> 
> Todd Vierling writes:
> > Then why not just use ipf and eliminate all of the workarounds of
> > workarounds?
> > 
> > pass in quick on ne0 from any to 1.2.3.4
> > block in quick on ne0 all
> > pass in quick on ne1 from any to 4.3.2.1
> > block in quick on ne1 all
> > 
> > And we're done.  (Did I miss something?)

Yes, the purpose of this change isn't to _filter_ packets.

It may be that the role is similar, however, the purpose is different.

What's more, using IP Filter doesn't scale as well.

> It looks like the strongendsystem stuff is controversial enough in its
> current form that I'll have to take another look (the code needs work
> anyway). Possibly adding the ability to set the flag per interface
> would be useful.

A flag per interface is, IMHO, too complex.  If you want to go to that
level of granularity then use packet filtering.  For comparison, there
is no per-interface control of whether or not source routing packets
are dropped.

What this change is really about is enforcing users to use the correct
IP# on LANs where you have servers with muiltiple IP#'s, security isn't
a concern and the box isn't necessarily performing a routing function.

Darren