Trying to make 2.6.x IPsec and conntrack/nat work

Spent some time thinking about how to possibly solve the long standing problem with conntrack/NAT and the 2.6.x in-kernel AH/ESP implementation.
The recent discussion on netfilter-devel was quite productive, although most of my ideas turned out to be without technical possibility :(
For example, iptables cannot attach the same CHAIN to multiple HOOKS. That would be so neat. Would somebody remind me that that has to go into pkttables?
Anyway, I've now written a surprisingly small (but still ugly) patch that should do about 60% of the solution upon which we agreed on the mailing-list.
Unfortunately, I don't have the time to set up a full IPsec test bed right now, so I have to rely on others to test it..