backout my previous commit (KAME PR 296). foo != TUNNEL will

forbid "ANY" SA from being used for tnunel mode.

Reported by:	Chris Cason <casonc@netplex.aussie.org>

1 files changed, 0 insertions, 4 deletions

diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index 6d8022b..87e771f 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -3148,8 +3148,6 @@ ipsec4_tunnel_validate(ip, nxt0, sav)
 
 	if (nxt != IPPROTO_IPV4)
 		return 0;
-	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL)
-		return 0;
 #ifdef _IP_VHL
 	hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
 #else
@@ -3188,8 +3186,6 @@ ipsec6_tunnel_validate(ip6, nxt0, sav)
 
 	if (nxt != IPPROTO_IPV6)
 		return 0;
-	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL)
-		return 0;
 	switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 	case AF_INET6:
 		sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);