Now we can discuss more subtle differences between tunneling in 2.0 and 2.2.
ipip
. 2.2 tries to select the best
tunnel device and packet looks as received on this. F.e. if host
received ipip
packet from host D
destined to our
local address S
, kernel searches for matching tunnels
in order:
1 | remote is D and local is S |
2 | remote is D and local is wildcard |
3 | remote is wildcard and local is S |
4 | tunl0 |
If tunnel exists, but it is not in UP
state, the tunnel is ignored.
Note, that if tunl0
is UP
it receives all the IPIP packets,
not acknowledged by more specific tunnels.
Be careful, it means that without carefully installed firewall rules
anyone on the Internet may inject to your network any packets with
source addresses indistinguishable from local ones. It is not so bad idea
to design tunnels in the way enforcing maximal route symmetry
and to enable reversed path filter (rp_filter
sysctl option) on
tunnel devices.
tcpdump
.
F.e. tcpdump
-i Cisco
-nvv
will dump packets,
which kernel output, via tunnel Cisco
and the packets received on it
from kernel viewpoint.