> > My main concern is that in the nft version the AH rule matches one of the ICMP > > packets even though the ICMP rule is higher up on the list. > > > > I tried to debug this and it seems to be related to this change: > > https://github.com/torvalds/linux/commit/568af6de058cb2b0c5b98d98ffcf37cdc6bc38a7 > > IIUC, this "stop ipv6_find_hdr on AH" is not a regression but intended behavior. > > > > Now the question: is there some way to define rules which will match > > the same way > > as it works in iptables-legacy? That is, look at the inner protocol > > and not stop on AH? > > IIRC behaviour between iptables-legacy and ip6tables-legacy with > regards to AH is inconsistent, because ip6tables-legacy -p matches on > the inner header encapsulated by AH, but iptables-legacy matches on AH > with -p. OK, I understand that this was an inconsistency and it was fixed with above change in the kernel but does this mean that there is currently no way to check the inner protocol? Or maybe there is some other match or extension which could be used to get the "old iptables style" behaviour?
