linuxludo@xxxxxxx <linuxludo@xxxxxxx> wrote: > When I enabled the GRE tunnel interface, I got a reject of GRE packets: > > Mar 1 09:09:56 router1 kernel: [ 303.025798] [FW6-IN-2-D] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd SRC=2001:0db8:1000:0000:0000:0000:0000:0002 DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 FLOWLBL=825134 PROTO=47 > > This unconditionally matched the invalid packets rule. Yes, the return value is wrong, it should be NF_ACCEPT, not -NF_ACCEPT. In older kernels, the gre tracker only registers for ipv4 and ipv6 gre falls back to generic ipv6 tracker. I think given there is nothing l3 protocol specific in the GRE tracker removal of the conditional is preferable.
