On Thu, 18 Mar 2004 17:32:14 +0100
Patrick McHardy [off-list ref] wrote:

If the protocol handler of a packet with a secpath
pointer is a non-xfrm-protocol the packet was handled by ipsec and
is done now, it traverses the PRE_ROUTING and LOCAL_IN hooks then.
This catches packets from both tunnel-mode and transport-mode SAs.

Be careful!  xfrm4_tunnel handles both uncompressed ipcomp packets
_and_ IPIP encapsulator device packets.  Yet you will intepret usage
of the ipprot as 'xfrm_prot==1' in all cases.

Yes this is ugly... if we added some kind of flag bit-mask to sk_buff,
would that allow an easier implementation?