> > 	i'm a bit confused (or i do not understand your situation correctly).
> > 	i'm assuming that you are talking about a listening socket, am i
> > 	correct? (if it is a client socket, you have the whole info to be
> > 	filled into IP header on connect(2))
> 
> No, not talking about a listening socket.
> 
> Let's assume a fully set-up TCP connection for the sake of this example.
> 
> I need to *quickly* determine, in tcp_output(), whether or not the 
> connection requires IPsec processing.  But even 
> ipsec4_getpolicybysock() requires that the packet be fully formed (with 
> IP header in place, etc.).  In my particular application, I need to 
> make this determination in order to decide the length of the TCP 
> segment I am going to send, so I can't even ask the question "does this 
> require IPsec processing?".  What I'm basically looking for from this 
> patch is:
> 
> 	* First TCP segment will go out assuming that the connection does
> 	  require IPsec processing.  (Or whenever the SPD changes.)
> 
> 	* As that segment goes through ip_output(), the hint will be updated
> 	  to reflect "requires IPsec processing" or "does not require IPsec
> 	  processing".
> 
> 	* For subsequent TCP segments, then I can quickly see that a
> 	  connection does not require IPsec processing.
> 
> Does that make sense?

	now i see what your patch is about, thanks.  i may be able to test it
	this week (if i can find some time during IETF... unlikely?).

itojun