The KAME ipsec code appears to overload the m->m_pkthdr.rcvif packet
header field for output; in particular, a "struct socket *" is stuffed
into that pointer instead of a "struct ifnet *".

This is somewhat unclean, and also makes it somewhat more difficult to
implement hot-swappable network interfaces (one piece of the ifdetach
work involves reference counting interfaces so you know when it's safe
to delete one).

The chance confusing an "inbound" packet (with a struct ifnet *) and
an "outbound" one (with a "struct socket") seems rather high.

How about adding a "snd_so" field to m_pkthdr?

					- Bill