--- zzzz-none-000/linux-4.9.231/net/netfilter/nf_nat_core.c	2020-07-22 07:10:54.000000000 +0000
+++ falcon-5590-729/linux-4.9.231/net/netfilter/nf_nat_core.c	2022-03-30 12:03:35.000000000 +0000
@@ -93,6 +93,9 @@
 	struct dst_entry *dst;
 	int err;
 
+	if (skb->dev && !dev_net(skb->dev)->xfrm.policy_count[XFRM_POLICY_OUT])
+		return 0;
+
 	err = xfrm_decode_session(skb, &fl, family);
 	if (err < 0)
 		return err;