ipsec patches test: minor compilation and policy match issues

[Henrik Nordstrom]

On Fri, 23 Jul 2004, Patrick McHardy wrote:

> > But seriously speaking I think conntrack may need to be split in two for
> > this to work properly: prerouting to associate packet with connection for
> 
> I've thought about this, but I can't imagine how it would work, you
> have to deal with all kinds of races ..

conntrack should be manageable in this I think, but NAT looks like a
nightmare..  In any event it is a major change of connection tracking and 
most likely outside what is realistic to do during a "stable" kernel 
cycle.

For now I think it is better to make use of the raw table and accept the 
duplicate policy check on ipsec traffic, if of too heavy add a skb flag 
indicating the policy check is already done.

Regards
Henrik