Subject: Re: IPsec policy cache hint
To: None <thorpej@wasabisystems.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-net
Date: 02/28/2004 21:25:38
> Hi folks...
> 
> For a project I am working on, I have a need to know if a TCP 
> connection requires IPsec processing before the actual TCP segments are 
> generated by tcp_output().  Unfortunately, you can't really do IPsec 
> policy look-ups that early, because the IPsec code wants to have a 
> fully-formed IP packet, and where I need to perform the test, I don't 
> have that yet.

	i'm a bit confused (or i do not understand your situation correctly).
	i'm assuming that you are talking about a listening socket, am i
	correct? (if it is a client socket, you have the whole info to be
	filled into IP header on connect(2))

	then, PCB policy cache will NOT be filled for the listening socket.
	it will be filled for new socket created by sonewconn() only.
	so there's no use for the additional "hint" i guess...

itojun