To provide industrial-strength security, the IPsec Security Policy Database should be integrated with the regular Linux firewalling facilities, specifically into the Netfilter/IPtables code.
Integration provides a single place to express policy. It prevents duplication of code: this is both a savings in physical quantities (kernel time and code space) as well as a reduction in opportunities for errors.