David Miller <[EMAIL PROTECTED]> wrote: > > Those socket policies are becomming more and more difficult to > deal with. I like them as a feature, but I wonder who uses > them :-) They do not live in the flow cache so they hurt > performance until we find a way to place them there. Perhaps > we can extend the flow keying somehow to account for socket > based policies in the flow cache.
The KM's use it to allow ISAKMP traffic to punch through IPsec. That should definitely be the exception though. Most apps should have zero socket policies, especially since socket policies need root privileges. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
