Friedrich Euler wrote:
I am currently using iptables version 1.2.7a and encountered the following
issue. When using a GRE (over ipsec) tunnel without the optional GRE key
field, Netfilter cannot find a unique tupel for all GRE packets. This makes
the connection tracking fail. The source code shows only a GRE over PPTP
implementation. My understanding is that I need to extend the iptables
implementation of version 1.2.7a to enable the connection tracking. Is this
true? Was this fixed in a version following 1.2.7a?
I would appreciate any information on this.
Without the gre key there is no way to distinguish two gre tunnels
between the same pair of hosts, so the connection tracking helper
behaves similar to ip_conntrack_proto_generic. It does not fail,
it simply doesn't work with multiple tunnels with equal endpoints.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
