On Mon, 22 Sep 2003, Nigel Metheringham wrote:
> > Is the NAT-rules on the machine that has the tunnel? If they are that
> > might explain a thing or two since the code looks correct for the case
> > where the packets pass through and another machine down the pipe sends
> > the icmp message back.
>
> Yes - all of this is on one machine.
> One interface has the effective listening port on it, another interface
> of the same box has the ipsec0 interface layered on top.
Could you please apply the attached patch and reproduce it again?
It's just a small patch that enables a little debugging for this.
The debugmessages comes out through the normal kernellog, run 'dmesg' and
see what it says. It's the lines beginning with "icmp_reply:"
/Martin
--- linux-2.4.21/net/ipv4/netfilter/ip_nat_core.c 2003-06-14 16:46:09.000000000 +0200
+++ linux-2.4.21.test/net/ipv4/netfilter/ip_nat_core.c 2003-09-20 20:59:10.000000000 +0200
@@ -913,7 +913,7 @@
where we would normally apply a dst manip, we apply
a src, and vice versa. */
if (info->manips[i].hooknum == hooknum) {
- DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n",
+ printk("icmp_reply: inner %s -> %u.%u.%u.%u %u\n",
info->manips[i].maniptype == IP_NAT_MANIP_SRC
? "DST" : "SRC",
NIPQUAD(info->manips[i].manip.ip),
@@ -928,7 +928,7 @@
/* Use mapping to map outer packet: 0 give no
per-proto mapping */
- DEBUGP("icmp_reply: outer %s -> %u.%u.%u.%u\n",
+ printk("icmp_reply: outer %s -> %u.%u.%u.%u\n",
info->manips[i].maniptype == IP_NAT_MANIP_SRC
? "SRC" : "DST",
NIPQUAD(info->manips[i].manip.ip));
