Fixed the behavior when there is no inbound policy for the ipsec

tunneled packet.
When there is no suitable inbound policy for the packet of the ipsec
tunnel mode, the kernel never decapsulate the tunneled packet
as the ipsec tunnel mode even when the system wide policy is "none".
Then the kernel leaves the generic tunnel module to process this
packet.  If there is no rule of the generic tunnel, the packet
is rejected and the statistics will be counted up.

Obtained from:	KAME
MFC after:	1 week

sys/netinet6/ipsec.c

@@ -3329,6 +3329,14 @@ ipsec6_tunnel_validate(m, off, nxt0, sav)
 
 	sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
 	    (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
+	/*
+	 * when there is no suitable inbound policy for the packet of the ipsec
+	 * tunnel mode, the kernel never decapsulate the tunneled packet
+	 * as the ipsec tunnel mode even when the system wide policy is "none".
+	 * then the kernel leaves the generic tunnel module to process this
+	 * packet.  if there is no rule of the generic tunnel, the packet
+	 * is rejected and the statistics will be counted up.
+	 */
 	if (!sp)
 		return 0;
 	key_freesp(sp);

sys/netkey/key.c

@@ -577,28 +577,6 @@ key_gettunnel(osrc, odst, isrc, idst)
 		return NULL;
 	}
 
-	/* if no SP found, use default policy. */
-	if (LIST_FIRST(&sptree[dir]) == NULL) {
-		switch (isrc->sa_family) {
-		case PF_INET:
-			if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD)
-				return NULL;
-			ip4_def_policy.refcnt++;
-			return &ip4_def_policy;
-#ifdef INET6
-		case PF_INET6:
-			if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD)
-				return NULL;
-			ip6_def_policy.refcnt++;
-			return &ip6_def_policy;
-#endif
-		default:
-			ipseclog((LOG_ERR, "invalid protocol family %d\n.",
-				isrc->sa_family));
-			return NULL;
-		}
-	}
-
 	s = splnet();	/*called from softclock()*/
 	LIST_FOREACH(sp, &sptree[dir], chain) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)