On Mon, Feb 24, 2003 at 05:14:59PM -0800, Jason R Thorpe wrote:
> On Mon, Feb 24, 2003 at 08:06:12PM -0500, Thor Lancelot Simon wrote:
> 
>  > 1) Cache policy engine decision per-flow in ipflow
>  > 2) Notify ipflow from the policy engine when new policies are loaded; even
>  >    the coarse action of clearing all current flow state should suffice, and
>  >    be better than the current state of affairs; on most systems, policies
>  >    don't change all that often.
>  > 
>  > What do you think?
> 
> That sounds pretty reasonable.  Really, all you need to do is refuse to
> enter an ipflow entry into the cache if there is an IPsec policy that
> requires it to be dropped or IPsec-processed (and obviously invalidate
> the ipflow cache if the policy database changes).

Hm.  There's no advantage to using the ipflow cache to make forwarding
decisions about packets that will require IPsec processing (or that have
been IPsec-processed)?

Thor