17 May
2017
17 May
'17
4:52 a.m.
Ronen,
If you use the RAW firewall table to accept IPENCAP traffic, 3 major
things happen:
- the RAW table accepts packets without the Kernel further processing
them, basically, they should exit netfilter into kmod-ipip
- if you use a program such as NetFLow (softflowd), it will not work -
you must add the rule to the INPUT table (or otherwise mark them as
tracked) if you wish to have records of the inbound outer headers
- you will only see a firewall hit counter for the rule in the RAW table
Be advised that ampr-ripd running in raw mode also has this behavior,
except that it skips netfilter on the outer header.
73,
- Lynwood
KB3VWG