This is my current set of netfilter+IPsec patches with Herbert's
suggestions incorporated. Changes since the last posted patches:

- remove okfn use in ipvs and ip_conntrack to avoid deep
   callchains with IPsec
- only pass packets to netfilter after tunnel mode transforms,
   except for once in plain before encapsulation or after
   decapsulation.
- NAT support