Hi Dave,

currently forwarded packets from a tunnel mode SA are checked
in ip_forward/ip6_forward against the XFRM_POLICY_FWD policy
list. Neither racoon nor pluto generate a policy for
IPSEC_DIR_FWD, so the checks are performed against an empty
list. I'm not sure who is wrong here, Linux or the keying daemons,
but I think using XFRM_POLICY_IN is more logical since we also
use XFRM_POLICY_OUT for forwarded packets, not XFRM_POLICY_FWD.

This patch changes ip_forward/ip6_forward to check against the
XFRM_POLICY_IN list.

BTW: The policy checks succeed as long as the policy list really is
empty because xfrm_policy_check skips the check if
xfrm_policy_list[dir] == NULL:

        return  !xfrm_policy_list[dir] ||
                (skb->dst->flags & DST_NOPOLICY) ||
                __xfrm_policy_check(sk, dir, skb, family);

I think this should really read (!xfrm_policy_list[dir] && !skb->sp)
so decapsulated IPsec packets are dropped if no policy exists.

Regards
Patrick