On Mon, Feb 24, 2003 at 08:06:12PM -0500, Thor Lancelot Simon wrote:

 > 1) Cache policy engine decision per-flow in ipflow
 > 2) Notify ipflow from the policy engine when new policies are loaded; even
 >    the coarse action of clearing all current flow state should suffice, and
 >    be better than the current state of affairs; on most systems, policies
 >    don't change all that often.
 > 
 > What do you think?

That sounds pretty reasonable.  Really, all you need to do is refuse to
enter an ipflow entry into the cache if there is an IPsec policy that
requires it to be dropped or IPsec-processed (and obviously invalidate
the ipflow cache if the policy database changes).

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>