David S. Miller wrote:

Be careful!  xfrm4_tunnel handles both uncompressed ipcomp packets
_and_ IPIP encapsulator device packets.  Yet you will intepret usage
of the ipprot as 'xfrm_prot==1' in all cases.

Yes this is ugly... if we added some kind of flag bit-mask to sk_buff,
would that allow an easier implementation?

I can't imagine how. Best would be to avoid the xfrm_prot flag
completely. Maybe we can add a flag to xfrm_state which indicates
that this is the last xfrm specified in the policy ?