This patch makes xfrm_policy_check locate the correct policy after NAT.
For protocols which do policy checks in their receive routines the
reference to nfct has to be kept until policy checks are done, the
other ones still drop it in ip_local_deliver_finish.