netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* do not nat gre packets
@ 2008-02-24 19:04 Friedrich Euler
  2008-02-25 12:08 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Friedrich Euler @ 2008-02-24 19:04 UTC (permalink / raw)
  To: netfilter-devel

Hello, 
  
I am currently using iptables version 1.2.7a and encountered the following
issue. When using a GRE (over ipsec) tunnel without the optional GRE key
field, Netfilter cannot find a unique tupel for all GRE packets. This makes
the connection tracking fail. The source code shows only a GRE over PPTP
implementation. My understanding is that I need to extend the iptables
implementation of version 1.2.7a to enable the connection tracking. Is this
true? Was this fixed in a version following 1.2.7a? 
  
I would appreciate any information on this. 
  
 
Kind regards,

Friedrich


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: do not nat gre packets
  2008-02-24 19:04 do not nat gre packets Friedrich Euler
@ 2008-02-25 12:08 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2008-02-25 12:08 UTC (permalink / raw)
  To: Friedrich Euler; +Cc: netfilter-devel

Friedrich Euler wrote:
> I am currently using iptables version 1.2.7a and encountered the following
> issue. When using a GRE (over ipsec) tunnel without the optional GRE key
> field, Netfilter cannot find a unique tupel for all GRE packets. This makes
> the connection tracking fail. The source code shows only a GRE over PPTP
> implementation. My understanding is that I need to extend the iptables
> implementation of version 1.2.7a to enable the connection tracking. Is this
> true? Was this fixed in a version following 1.2.7a? 
>   
> I would appreciate any information on this. 


Without the gre key there is no way to distinguish two gre tunnels
between the same pair of hosts, so the connection tracking helper
behaves similar to ip_conntrack_proto_generic. It does not fail,
it simply doesn't work with multiple tunnels with equal endpoints.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-02-25 12:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-24 19:04 do not nat gre packets Friedrich Euler
2008-02-25 12:08 ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).