>> 	for the backward compatibility's sake classification engine in IPsec
>> 	will stay.  (there are ipsec.conf written for the current classification
>> 	engine).
>>
>> 	if i have time i might transition classification engine to pf
>> 	internally, but ipsec.conf syntax will need to stay.
>
>I would like to see everything use the same classification engine 
>internally.  Merged syntax/config is secondary for me.

	we can't pass rulesets to pf_test() - PF runs on ruleset configured by
	ioctl.  to do the 2nd paragraph of mine above, i guess we need to
	(1) be able to pass ruleset to PF (2) then run classification
	(3) get result as a tag, rule line # that matched, or whatever.

	current PF tagging works fine as long as ipsec.conf uses new syntax
	(spdadd tagged "tag").

itojun