RFC 3173 p 2.2. Non-Expansion Policy says that packets should
send unchanged (i.e. without compression and without IPComp header)
when compression is useless (the size of compressed data is not smaller
The ability to handle such uncompressed packets was partially implemented
via xform_ipip ip_encap handler, that was removed in rS281692.
The problem can be reproduced when IPSec configured in tunnel mode and IPComp
is the only used transform. Then for small packets IPComp will send just encapsulated
IP datagrams. Since there aren't any special handlers for IPPROTO_IPV4 and IPPROTO_IPV6,
such packets will be dropped by RAW IP code.
Previous implementation could do unneeded decapsulation for some packets due to false positive
handling. Also it seems it doesn't handle packets when only one IPComp transform is used.
This patch provides the alternative implementation of such feature.
In xform_ipcomp.c we register ip_encap handlers for IPPROTO_IPV4 and
IPPROTO_IPV6. The handler does lookup for SA related to IPComp protocol
and given from mbuf source and destination addresses as tunnel endpoints.
So, we decapsulate packets only when there are some corresponding SA found.
For this purpose key_allocsa_tunnel() functions is added.