Some implementation problems about IPsec

[blue]

Dear all:

I am tracing the codes for the implementation for IPsec recently. I have 
two problems here about the  implementation:

1. In ip6_input.c, before handing the packet to the next protocol 
handler after processing of IPv6 headers,

#ifdef IPSEC
        /*
         * enforce IPsec policy checking if we are seeing last header.
         * note that we do not visit this with protocols with pcb layer
         * code - like udp/tcp/raw ip.
         */
        if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
            ipsec6_in_reject(m, NULL)) {
            ipsec6stat.in_polvio++;
            goto bad;
        }
#endif

Why needs to do ipsec6_in_reject() here for some specific "LASTHDER" 
protocols, such as icmp? Why not all the packets need the check?

2. What is the real meaning for the flags M_AUTHIPHDR, M_AUTHIPDGM, and 
M_DECRYPTED? At the beginning, I thought the mbuf carrying either one of 
the flags would represent it had processed by IPsec stack. However, in 
KAME implementation, ah_input and ah6_input will unset the flag after an 
AH tunneled packet has been passed the authentication. While ESP is the 
case, once M_DECRYPTED flag is set, it would never be unset. On the 
other hand, in FAST_IPSEC, which is another different IPsec 
implementation on FreeBSD, the flags are never unset, and also another 
flag named M_IPSEC is defined as M_AUTHIPHDR | M_AUTHIPDGM | 
M_DECRYPTED. I am confused by the inconsistent usage.....

Many Thanks.

Susan