Add ip_ipsec_forward() function and call it from ip_forward().

This function is inteded to check inbound and outbound security policies
for forwarded packet. If inbound policy doesn't discard packet, then we
check outbound policy. Since we act as router, we can apply only tunnel
mode IPsec to forwarded traffic (with transport mode we will not receive
responces from partner). So, if matched outbound policy has tunnel mode
transform, we can handle packet with IPsec. And this packet will be
consumed by ipsec4_process_packet().

In ip_forward() do IPsec handling after TTL decrementing. If mbuf will
be consumed by IPsec, it will be encapsulated, thus its TTL value should
be decremented before (RFC1853). Also by the same reason we need to make
mbuf's copy before decrementing TTL and doing IPsec checks.

Also add IPSEC_FORWARD() and IPSEC_INPUT() wrapper macros.