>> > Also, totally unrelated note, what happens if you're an IPsec gateway? Say
>> > you're doing ESP tunnel mode for a number of protected boxes. And you have
>> > nothing running that has an open port covered by the IPsec policy (or you
>> > have port-specific policy and nothing's open on that port). Do you really
>> > have a socket sitting around to hang the IPsec info off of, even though
>> > there's nothing in userland around to hook to it?
>> 	there are two places you can put policies - one is on socket via ioctl,
>> 	another is on packet filter-like (setkey).  IPsec gateway case falls
>> 	into the latter, and there'll be no socket for those policies.
>So we'd be passing NULL as the socket in that case?

	yes, see call to ip_output() from ip_forward(), for instance.

itojun