Subject: Re: Try again, itojun, patches need more work.
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-net
Date: 06/30/2003 21:49:45
On Mon, Jun 30, 2003 at 12:38:10PM -0700, Jason Thorpe wrote:
> 
> On Monday, June 30, 2003, at 12:19  PM, Manuel Bouyer wrote:
> 
> >But from what I understood, Itojun will move the IPsec classification
> >to PF. Or is it just part of the IPsec classification ?
> 
> In general, "packet classification" is looking into a packet and 
> assigning some class identifier to it.

Yes. But the problem is that there is a lot of different ways to look into
a packet (or, rather, a lot of different things to look at). This is why
I don't see how it could be turned into a library. Each classification
engine will have its own way of doing it, looking at different things
(I'm not talking only about PF ws IPF here), possibly interracting with
a userland daemon. To be usefull the library will have to be general enouth,
and to be general enouth it won't do much.

> 
> PF has both a classification engine and an application (a firewall/NAT 
> package).  IPsec is another application which can use PF's 
> classification engine.  ALTQ is another.
> 
> The conversation has been muddled so far because PF contains both 
> parts, and so people are confusing PF's classification functionality 
> with it's firewall/NAT application functionality.

As far as I'm concerned I can see the difference :)

This is also one of the problem of switching ALTQ/ipsec to pf's classification
engine. You want a classification engine, you get a firewall/NAT application
for free ... which you don't necesserely need or want :)

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--