On Fri, 29 Sep 2006, Paul Moore wrote:

quoted

It seems more of a pain to actually
prevent their use at the same time and/or explain strange/unnatural
behavior.

Agreed, the solution that we agreed upon is much easier to implement and
explain than a lot of the alternatives.

Ok, can you please explain it further?

i.e. show me what the policy looks like, exactly what the user is trying 
to achieve, and explain what happens to each packet exactly in terms of 
labeling on the input and output paths.




-- 
James Morris
[off-list ref]