James Carlson wrote: > Darren Reed writes: > >> The "layer2" bits I consider to be a blight on the configruation syntax, >> not to mention that implementation atrocity that results in policy needing >> to be defined twice, and I will be looking for a way to arcitect it out in >> the future. >> > > The problem I'm pointing out here is that it is incongruous to make > crucial security configuration syntax "Volatile." If there's anything > I don't want to have disappear or change in meaning over time, it'd > have to be my system security configuration. >
... >> is something that we can accomdate in the short term for the sake of >> expediency but in long term, the last of those three needs to die. >> > > Then this case is incomplete. It needs to explain where we're going > and how we'll get there. > > Do we need to distinguish between the "layer 3" and "layer 3 at L2" > cases, and, if we do, how do we do that in a way that will not just > result in future breakage? > > If you have to patch it on for now, that's ok, but please do explain > how we get from the patched-on state to a longer-term usable state. > In the fullness of time, IPFilter will allow administrators to "decapsulate" packets, so that in instances where there are interesting IP headers "inside" the packet in clear text, it will be possible to filter on those. Thus filtering on layer 3 headers from layer 2 should just become another use of that design rather than something special. The "layer2" tag was adopted after you expressed distate for having an "ip-head' or "l2-head" option with the ipf rules. Given that the "layer2" keyword does not fit at all with future direction, the only option is to flag it as "volatile" (or "obsolete.") Darren
