On Monday, June 30, 2003, at 11:43  AM, Manuel Bouyer wrote:

 From what I understand, the "classification engine" would just, given a
> mbuf and a tag name, put the appropriate m_tag to the mbuf.
> It can't do more, the rules to associate a tag to a mbuf is unique to
> each classification package (it may not be based on IP headers for 
> example).
> However, each classification package has its own cache of matching 
> rules.
> It would probably be more efficient if it would cache the mbuf tag 
> value
> here as well.

Well...

If you think about it, IPsec and an IP firewall package have exactly 
the same needs when it comes to classification.  Maybe it's because I 
see the "rule" that matches a packet as orthogonal to the "action" 
taken when a match is found.

It just seems silly to me to have two sets of code that parse IP 
headers in order to then tell a "classification engine" to assign a 
pre-determined name to the packet.  Really, the act of parsing those 
headers *IS* the classification step!

         -- Jason R. Thorpe <thorpej@wasabisystems.com>