--- zzzz-none-000/linux-4.4.271/net/netfilter/nf_nat_core.c	2021-06-03 06:22:09.000000000 +0000
+++ hawkeye-5590-750/linux-4.4.271/net/netfilter/nf_nat_core.c	2023-04-19 10:22:30.000000000 +0000
@@ -90,6 +90,9 @@
 	struct dst_entry *dst;
 	int err;
 
+	if (skb->dev && !dev_net(skb->dev)->xfrm.policy_count[XFRM_POLICY_OUT])
+		return 0;
+
 	err = xfrm_decode_session(skb, &fl, family);
 	if (err < 0)
 		return err;
@@ -404,6 +407,13 @@
 
 	get_unique_tuple(&new_tuple, &curr_tuple, range, ct, maniptype);
 
+#if IS_ENABLED(CONFIG_NF_NAT_TRY_NEXT_RULE)
+	if (curr_tuple.src.u.all != 0 && curr_tuple.dst.u.all != 0 &&
+		new_tuple.src.u.all != 0 && new_tuple.dst.u.all != 0 &&
+		nf_nat_used_tuple(&new_tuple, ct))
+		return XT_CONTINUE;
+#endif
+
 	if (!nf_ct_tuple_equal(&new_tuple, &curr_tuple)) {
 		struct nf_conntrack_tuple reply;