One other topic that was discussed on the ipsec-tools-devel mailing list was how support for specifying the priority for an SPD entry should be added to the PF_KEY interface. Such a priority is already supported in the XFRM interface, and it can be used to insert a policy into the SPD at locations other than the end.
The two possible approaches that have been suggested are:
1. Use the sadb_x_policy_reserved2 field of struct sadb_x_policy to indicate the priority.
2. Use the SADB_X_SPDSETIDX message to do this by defining a new message format that includes the priority (and optionally an interface index as well since this is also supported by the XFRM interface).
Are there opinions on which approach is preferrable? Is there a reason why the reserved2 field should not be used? Also, is SADB_X_SPDSETIDX intended to insert a policy or change the location of an existing one? Currently messages of this type just use pfkey_spdadd, so it seems that this message type could be used as an alternate way of inserting SPD entries when the priority and interface index are desired.