> > is it just a matter of how we configure the policy rules > for polmatch? > > Actually, it would be the ranged SA labels (defined in the > xfrm policy), used > as the target by sendto and recvfrom. and used as the subject in the polmatch check, yes.