Hi, I noticed (in relation to my nbma gre multicast testing) that the nat connection tracking code does not cache flows for locally originating traffic that is routed to gre tunnel (forwarded traffic is ok). I basically have a router box with nbma gre tunnel. It gets 10/8 traffic. And is routed to internet interface. An ipsec xfrm is applied. Now, if the router box is forwarding traffic from some physical interface, everything works as expected. However, if a local process on the router box is sending packets that go to gre tunnel, each packet causes a new lookup on nat table OUTPUT chain. This is easily verified by doing flood ping on router box on private IP and the counters on nat table OUTPUT chain default policy start to get incremented wildly. I tried to oprofile this and it says most of the time is spent in ipt_do_table(). I would suppose that the place where netfilter hook is called is ip_gre.c:ipgre_tunnel_xmit() when it invokes macro IPTUNNEL_XMIT() calling ip_local_out(). Monitoring the connection tracking stats, it looks like all packets are reusing the proper connection tracking cache entry. But somehow the nat target still gets called for the locally originating packets to gre. Any ideas how to fix this? Thanks, Timo -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
