ipsec/ipf interaction change was pulled up to 1.5 branch.
	(the change has been available in netbsd-current since feb2001)

	summary:
	- ipf will look at wire-format packet, not the decapsulated IPsec
	  packets.
	benefit:
	- you can run NAT for traffic from your private-address cloud to the
	  outside world, and run VPN for traffic between private address cloud.
	  it was rather hard to do before.
	impact:
	- you may want to revisit ipf rules as well as ipsec rules, if you
	  are using them on the same box.

	for more details, visit the following URL.
	http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction

itojun