Thanks for your feedback. So, in this case, can you consider this request ? Or do I have to make a new one ? Regards, -----Message d'origine----- De : Florian Westphal <fw@xxxxxxxxx> Envoyé : mercredi 3 mars 2021 18:12 À : linuxludo@xxxxxxx Cc : Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>; kadlec@xxxxxxxxxxxxx; fw@xxxxxxxxx; netfilter-devel@xxxxxxxxxxxxxxx; coreteam@xxxxxxxxxxxxx Objet : Re: [PATCH] netfilter: Fix GRE over IPv6 with conntrack module linuxludo@xxxxxxx <linuxludo@xxxxxxx> wrote: > When I enabled the GRE tunnel interface, I got a reject of GRE packets: > > Mar 1 09:09:56 router1 kernel: [ 303.025798] [FW6-IN-2-D] IN=eth0 > OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd > SRC=2001:0db8:1000:0000:0000:0000:0000:0002 > DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 > FLOWLBL=825134 PROTO=47 > > This unconditionally matched the invalid packets rule. Yes, the return value is wrong, it should be NF_ACCEPT, not -NF_ACCEPT. In older kernels, the gre tracker only registers for ipv4 and ipv6 gre falls back to generic ipv6 tracker. I think given there is nothing l3 protocol specific in the GRE tracker removal of the conditional is preferable.
