+++ /dev/null
---- a/net/netfilter/nf_nat_core.c
-+++ b/net/netfilter/nf_nat_core.c
-@@ -90,6 +90,9 @@ int nf_xfrm_me_harder(struct sk_buff *sk
- struct dst_entry *dst;
- int err;
-
-+ if (skb->dev && !dev_net(skb->dev)->xfrm.policy_count[XFRM_POLICY_OUT])
-+ return 0;
-+
- err = xfrm_decode_session(skb, &fl, family);
- if (err < 0)
- return err;