I want to build a NetBSD-based router that can fast forward and
also supports IPSEC. Alas, in ip_input.c, I found this:

#ifdef IPSEC
	/* ipflow (IP fast forwarding) is not compatible with IPsec. */
	m->m_flags &= ~M_CANFASTFWD;
#else
	/*
	 * Assume that we can create a fast-forward IP flow entry
	 * based on this packet.
	 */
	m->m_flags |= M_CANFASTFWD;
#endif

CVS log tell this tale:

| ----------------------------
| revision 1.94
| date: 1999/10/26 09:53:17;  author: itojun;  state: Exp;  lines: +6 -1
| disable ipflow (IPv4 fast fowarding) when IPsec is configured into the kernel.

Why is this the case?

	Erik <fair@netbsd.org>