On Thu, Apr 17, 2003 at 05:27:45PM +0900, Curt Sampson wrote:

>     block in log on ex0_noipsec all head 110

Maybe it can be made slightly more general by adding canonical tap/filter
only interfaces and making "tap0" attach to "ex0" at tap point "noipsec"
with a userland utility and then 

     block in log on tap0 all head 110

I have the vague feeling this could be usefull for bridge devices too, and
maybe other multi-protocol/stacked interfaces, or even a more general netgraph-
like scheme where every module connector is a tap point.

Martin