On Tue, Jul 01, 2003 at 09:49:16AM +0900, itojun@iijlab.net wrote:
> 
> 	we can't pass rulesets to pf_test() - PF runs on ruleset configured by
> 	ioctl.  to do the 2nd paragraph of mine above, i guess we need to
> 	(1) be able to pass ruleset to PF (2) then run classification
> 	(3) get result as a tag, rule line # that matched, or whatever.
> 
> 	current PF tagging works fine as long as ipsec.conf uses new syntax
> 	(spdadd tagged "tag").

This looks good enouth for me. Keep the ipsec classification engine
for the next release, for config file syntax compatibility, and then
deprecate it.

BTW I'd like to see the same for altq

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
     NetBSD: 24 ans d'experience feront toujours la difference
--