hAre there any phones which use IPv6 native? AFAIK not. Anyway...

Ok...

Lets say the user is connected to GPRS and has a default route to there. Then, the user comes home and connects to WLAN which tells it to add a default route to WLAN. You can then do 2 things: you can either keep the original route or you can replace it. What will happen is that the WLAN gets priority over the GPRS. If you then want to use GPRS then you fire up PPP which will give you IPv4/32 PPP local, IPv4/32 PPP remote, and IPv4/32 PPP gw. The gw you add to be routed over PPP interface. If there is already a /32 routed as gw then you give your own gw priority over that one. Because it works in the order they're added you delete current, then add your own, and add the one deleted again although I believe iproute2 can handle this more elegant its not part of Maemo 5. Because the MMSC_IP will match default route you must add a route source MMSC_IP/32 destination IPv4/32 PPP gw. Then we do business with MMSC. Afterwards, you shut down the PPP interface everything will be as before you used PPP interface. The very same principle applies to your example!

Because you're either changing the route and changing it back again or deleting the route, adding the one we want to use for MMSC, and then adding the one we just deleted the current connection to IPv4 address which happens to be same as MMSC_IP will be temporarily routed over the PPP interface to the MMSC.

Same as above. Default route changes temporarily to be used over PPP interface, and current connections to gw 192.168.1.1 will not work anymore. That means everything would be routed to MMSC. But we can make some sanity checks against this. Its unlikely this happens btw.

The PPP /32 comes first before the WLAN /24. If there are connections to this WLAN address they'll be disconnected and sent to an IP address binded to PPP interface.

Bring wlan0 temporarily down.

The PPP /32 comes first before the WLAN /24. If there are connections to this WLAN address they'll be disconnected and sent to an IP address binded to PPP interface.

For all of 3 cases sanity check is needed and in all of 3 cases this happens in a split second because the MMS is max 300 kB which will be downloaded quickly over GPRS. You could use ARP for sanity checks.

Collisions happen, simple as that. There is always a chance they happen when you play with privately assigned IPv4 over several interfaces.

Well right now we use dev option in route:

Which will work in almost all cases.

Yes, true, but always existed, and happens too e.g. with VPN or even in the case of GPRS and WLAN. If this happens customers will be pissed. But the chance this happens is small.

If you're scared it happens, and inappropriate traffic passes, you can use pass-filter in PPPD to only allow MMSC_service which has certain characteristics such as source IPv4 and source port. One could even use add 127.0.0.2 to lo and only allow 127.0.0.2 to pass. Really, these collisions sometimes unfortunately happen and that sucks but it happens. And even if you want to prevent them there is no need for IPT or experimental IPT options although what you state does work.