David Miller [off-list ref] wrote:

Those socket policies are becomming more and more difficult to
deal with.  I like them as a feature, but I wonder who uses
them :-)  They do not live in the flow cache so they hurt
performance until we find a way to place them there.  Perhaps
we can extend the flow keying somehow to account for socket
based policies in the flow cache.

The KM's use it to allow ISAKMP traffic to punch through IPsec.

That should definitely be the exception though.  Most apps should
have zero socket policies, especially since socket policies need
root privileges.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt