> > >	per-pcb policies should not be manipulated via PF_KEY.
> > 
> > 	oops, read access (via dump/whatever) is ok.
> > 
> > itojun
> 
> do you mean spddump should dump per-pcb ones as well?

	we currently do show them via "setkey -DP".  not sure it is right
	or not.  but anyways, read access based on spid is necessary for
	racoon to find and negotiate SAs for per-socket policy.

itojun