In message <20041220223403.GY23458@bcd.geek.com.au>, Daniel Carosone writes:
>> Another was that it had multiple points at which a filter could be applied.
>> So, instead of writing a single unified filter which has to take all
>> circumstances into account, you could write multiple filters.

>I've long been an advocate for splitting up classification vs
>actions. We have a number of places where a generic 'packet
>classifier' language would be of use, beyond the current firewalling:
>policy routing, ALTQ-like things, IPSEC, various event detectors like
>ppp or isdn idle triggers, and no doubt more as new features are
>contemplated.

Yes.  ipfw does all of this; the same language can be used to accept or
reject packets, or to classify them into streams, which can be rate-limited,
and so on.

Really, as of the last release, I was unaware of anything anyone wanted a
widget like this to do that ipfw didn't do fairly well.  The disappearance
of the code into Wind River's shiny new Linux strategy is a crying shame.

-s