for receive side: - create lifetime structure, move all lifetime checks to common code. - create transform structure, - create call for each ``switch'' clause. - create per-packet state structure - attach to ``proto\_priv'' or 2.2-equiv - split up into pre-crypto, crypto and post-crypto stages. - call each directly. - introduce single MAST device, have all cleartext packets emerge from it. - adapt tunnel exit checks to be netfilter based for transmit side: - adapt lifetime checks - split into pre-crypto, crypto and post-crypto stages. - stop overloading said SPI value usage - eliminate redundant lookup of eroute->TDB chain. - add facility for using netfilter for SA selection - connect MAST transmit to ``default'' SA. introduce MAST concept to Pluto/Setup scripts. - permit MAST device to be cloned. - receive side SAs should map to MAST device. test jig - bring up User-Mode Linux - network several UMLs (3 gateways, 3 clients) - compile FreeSWAN into UML - bring up UML canonical FreeSWAN network