On Tue, 30 Sep 2003 20:05:06 +1000 Herbert Xu <herbert@gondor.apana.org.au> wrote: > If all three SAs are for the local host, then only one policy check > is necessary. That is the one which is performed after all three > SAs have been decapped. Thanks for explaining. I thought policy checks checked more than just actually applied SAs (so f.e. you could create policy like "ESP with key foo inner protocol must be TCP" and policy checks would enforce this, aparently this feature does not exist :( ). I'll apply your patch, thanks. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html