i made a change to ipsec logic, so that ipsec and ipf interact better.

	now, ipf looks into wire-format packet only.

	suppose you have inbound packet genrated by IPsec tunnel device.
	the packet will be like:
		IP1 ESP IP2 payload
	"IP2 payload" is the encapsulated packet, and "IP1 ESP" wraps it up.
	ipf used to look at both wire-format packet (IP1 ESP IP2 payload),
	and decapsulated packet (IP2 payload), on inbound.  it made it
	ultra-hard to configure NAT box and IPsec gateway in the same box.
	now the trouble should have gone and it is simple to configure them
	in the same box.

	WARNING: if you were using ipf to filter IPsec-decapsulated packets
	you may need to change your ruleset.  also, packets decapsulated
	by "gif" or "ipip" tunnelling device still go through ipf
	(you can recognize them by using matching rule based on inbound
	interface).

itojun