When using hardware crypto engines, the callback functions used to handle
an IPSec packet after it has been encrypted or decrypted can be invoked
asynchronously from a worker thread that is not associated with a vnet.
Extend 'struct xform_data' to include a vnet pointer and save the current
vnet in this new member when queueing crypto requests in IPSec. In the
IPSec callback routines, use the new member to set the current vnet while
processing the modified packet.

This fixes a panic when using hardware offload such as ccr(4) with IPSec
after VIMAGE was enabled in GENERIC.

• ping when using ccr(4) to offload crypto for an IPSec tunnel using AES-CBC + SHA1 HMAC.