[Bug 892] New: ip6tables --match policy needs to accept IPv4 addresses for --tunnel-src and --tunnel-dst

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Feb 2 16:42:49 CET 2014


           Summary: ip6tables --match policy needs to accept IPv4
                    addresses for --tunnel-src and --tunnel-dst
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ip6tables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: ast at domdv.de
   Estimated Hours: 0.0

ip6tables currently does not allow to specify IPv4 addresses for the
--tunnel-src and --tunnel-dst options of the policy match.
This, however, is required for an IPv6 via IPSec IPv4 tunnel. Let's assume the
IPSec tunnel endpoints are and and are interconnecting two IPv6
networks. Packets flowing acoss this connection shall be marked. This would
require something like the following:

ip6tables -t mangle -A INPUT --match policy --dir in --pol ipsec --mode tunnel
--tunnel-dst --tunnel-src -j MARK --set-mark 0x08/0x08

The above does not work. Instead one has to use the following undocumented
kludge which seems to work by just sheer luck:

ip6tables -t mangle -A INPUT --match policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 102:304::/32 --tunnel-src 506:708::/32 -j MARK --set-mark

Looking at the netfilter kernel policy code (3.12.7) doesn't show any hint that
the case of IPv6 via IPv4 IPSec Tunnel is actually integrated, so the above
kludge seems to work just by chance.

If the above kludge is what is actually intended this needs at least be
documented in the iptables-extensions man page - I had to try bit for bit until
it became clear what address format to use and there is still the point that
one does not know about the supposed value of the remaining 96 bits of such an

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list