Darren Reed writes: > > If you have to patch it on for now, that's ok, but please do explain > > how we get from the patched-on state to a longer-term usable state. > > > > In the fullness of time, IPFilter will allow administrators to > "decapsulate" packets, so that in instances where there are > interesting IP headers "inside" the packet in clear text, it > will be possible to filter on those. > > Thus filtering on layer 3 headers from layer 2 should just > become another use of that design rather than something > special.
So, that future design won't use the "layer2" tag, correct? > The "layer2" tag was adopted after you expressed distate for > having an "ip-head' or "l2-head" option with the ipf rules. > Given that the "layer2" keyword does not fit at all with future > direction, the only option is to flag it as "volatile" (or "obsolete.") I expressed distaste for "ip-head" because it forces the user to work around design issues in IP Filter itself, telling the system when to advance the pointer from the MAC layer to the network layer header, rather than just using 'head' for grouping. (And I'm not sure what you mean, because the original specification from last April has a "layer2" tag, and I don't _think_ we talked about it before that.) Given that "layer2" is a temporary scheme, it sounds like "Obsolete Volatile" is the right way to go. The man page should warn that the keyword may go away in the future. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
