> We may have to wrangle out some compromise on KAME passing struct
> socket *, versus the fast-ipsec struc inpcb *, after all.  Fast-ipsec
> already has considerable hooks for inet6 processing, but those hooks
> were designed and implemented with the assumption that inpcb and
> in6pcb have been unified -- as they are, on FreeBSD.

	i looked into sys/netipsec code, and i see a couple of major problems
	with the current code.  i don't think the code is sufficient for
	supporting IPv6 sockets (even with FreeBSD inpcb in mind) and therefore
	i don't think it worthwhile to integrate inpcb and in6pcb just for the
	sake of sys/netipsec.  and if we want to integrate them, we need to
	integrate them properly, not in hurry like now you are.

	major problem i see:
	ipsec_getpolicybysock() seems to be protocol independent.  but that's
	not true - it has too little consideration on IPv6 case (especially
	IPv4 traffic with IPv6 inpcb).  same goes to
	ipsec[46]_setspidx_in{,6}pcb.

	why you are insisting on passing inpcb * rather than socket * as args
	is mystery to me.  once you get to inp_sp (or in6p_sp), there's no need
	to refer to inpcb *, right?  to support IPv4 mapped address case
	passing socket * has advantage.

itojun