>> 	because L2 driver behavior is different, ip_output() needs to behave
>> 	differently.  yes, ip_output() should remove ipsec tags used in L3
>> 	logic, and then add ipsec-hardware tags to tell L2 to do special 
>> stuff.
>
>No, I don't like that idea.  All that extra allocating/freeing of the 
>L2-specific IPsec tags is added expense.  Better for the IPsec tags to 
>be generic enough so as to be useful all over.

	oops, i was suggesting re-tagging too strong.  it was not what i meant.
	of course it is not mandatory to re-tag, i.e. use same m_tag type
	for both L3 and L2 and avoid re-tagging.  i was trying to make the
	point clear that whatever tags fast-ipsec code have added should be
	cleared under responsibility of fast-ipsec code (you can include
	ipsec-aware ethernet card driver as "fast-ipsec code").

itojun