On Tue, Feb 25, 2003 at 10:03:03AM +0900, itojun@iijlab.net wrote:
> >>>| date: 1999/10/26 09:53:17;  author: itojun;  state: Exp;  lines: +6 -1
> >>>| disable ipflow (IPv4 fast fowarding) when IPsec is configured into the kernel.
> >>> Why is this the case?
> 
> 	ipsec policy engine is some sort of packet filter.  it is not friendly
> 	with ipflow.  for instance, if some traffic hits ipflow cache, it won't
> 	be encrypted.

Hm.  Perhaps a good solution would be:

1) Cache policy engine decision per-flow in ipflow
2) Notify ipflow from the policy engine when new policies are loaded; even
   the coarse action of clearing all current flow state should suffice, and
   be better than the current state of affairs; on most systems, policies
   don't change all that often.

What do you think?

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud