Darren Reed writes: > The "layer2" bits I consider to be a blight on the configruation syntax, > not to mention that implementation atrocity that results in policy needing > to be defined twice, and I will be looking for a way to arcitect it out in > the future.
The problem I'm pointing out here is that it is incongruous to make crucial security configuration syntax "Volatile." If there's anything I don't want to have disappear or change in meaning over time, it'd have to be my system security configuration. I agree that having to specify "I want this L3 rule to run at L2" or more generally having go specify which hook to use for a given rule seems quite wrong. > Whilst it might appeal to you (since you pretty much got in the way of > anything else), it really does not fit into anything futurish for > ipfilter. So much for civility. > is something that we can accomdate in the short term for the sake of > expediency but in long term, the last of those three needs to die. Then this case is incomplete. It needs to explain where we're going and how we'll get there. Do we need to distinguish between the "layer 3" and "layer 3 at L2" cases, and, if we do, how do we do that in a way that will not just result in future breakage? If you have to patch it on for now, that's ok, but please do explain how we get from the patched-on state to a longer-term usable state. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
