I guess the IPSEC processing steps are like this: (Maybe I am wrong, please correct me.) 1) Application send out a IP packet. 2) Kernel lookup the packet in routing table. 3) It will match one route in route table. 4) Then the packet will be searched in SPD (ip xfrm policy). If It matches the out policy, goto step 5, else goto step 6. 5) The packet will be appended the IPSEC src IP, dest IP, and AH, ESP. And goto step 2, (this packet will search the routing table again with the new src IP and dest IP. ) 6) Send the packet out of the interface of the route.
prior to step 2, ip rule list is used to determine which route table to use. Current code uses that to jump to 220.
4) Will SPD lookup be performed on all packets? Or only on packets matching a kernel route ?
If SPD lookup is done on all packets, we might do without the extra kernel routes