>I would like to state for the record that I support removing duplicated 
>packet classification engines.  The needs of a firewall, traffic 
>shaper, and IPsec SPD/SAD engine are all basically the same.

>Of course, it would be nice if everything used BPF as the actual 
>matching engine, [...]

No, it is *not* be a good idea.  Ther are situations where using BPF
is a really really *bad* idea.

Consider, for example, a host with an aggregate of a gigabit or so; of
which some very small fraction requires IPsec transforms.  Next
example is a system with a fast (60 Mbyte or so) IPsec accelerator
engine. Any BPF-like (bytecode interpreter) approach to that kind of
packet classification rate is completely unacceptable.