[tptacek]

The "tag" is an mbuf tag. Mbuf tags aren't packet data; think of them like per-packet session state, so that different layers of the stack (the network drivers, any driver required to handle crypto goo done on the card, the original IP code, and the IPSEC decapsulation and handling code) can talk to each other without hand-coding a million disgusting callbacks throughout the kernel.

In this code, "mtag" is the tag matching PACKET_TAG_IPSEC_IN_CRYPTO_DONE, which the lower-level drivers use to tell the IPSEC code that the NIC already did verification. If the tag isn't there, then you want to do the verification in software, which is what the fixed code does and the broken code didn't do.