jonathan@dsg.stanford.edu writes:

> I think it's best to put the test for "no IPsec active, therefore none
> needed" directly into ip_input() and ip6_input().
> 
> I'm not sure about forwarding, I'd have to look.  If dimming memory
> serves, the API from ipsec[46]_in_reject() *always* returns a non-NULL
> policy, so what you'd want is to check for only the default policy
> existing, and if so, skip all the ipsec*_in_reject goop completely.

And a check that the system default policy is USE or NONE; if it's
REQUIRE IPsec processing is still needed.  It may make sense to
maintain variable omit_ipsec which is 1 if the conditions for doing so
are met (empty SPD, empty SAD, default policy use or none, I think),
and have SPD/SAD/sysctls update the variable, maintaining the invariant.

-- 
        Greg Troxel <gdt@ir.bbn.com>