Now we can discuss more subtle differences between tunneling in 2.0 and 2.2.
ipip. 2.2 tries to select the best
tunnel device and packet looks as received on this. F.e. if host
received ipip packet from host D destined to our
local address S, kernel searches for matching tunnels
in order:
| 1 | remote is D and local is S |
| 2 | remote is D and local is wildcard |
| 3 | remote is wildcard and local is S |
| 4 | tunl0 |
If tunnel exists, but it is not in UP state, the tunnel is ignored.
Note, that if tunl0 is UP it receives all the IPIP packets,
not acknowledged by more specific tunnels.
Be careful, it means that without carefully installed firewall rules
anyone on the Internet may inject to your network any packets with
source addresses indistinguishable from local ones. It is not so bad idea
to design tunnels in the way enforcing maximal route symmetry
and to enable reversed path filter (rp_filter sysctl option) on
tunnel devices.
tcpdump.
F.e. tcpdump -i Cisco -nvv will dump packets,
which kernel output, via tunnel Cisco and the packets received on it
from kernel viewpoint.