Filtering outgoing tunneled IPv6 packets with ipchains - possible?

[Peter Bieringer <pb@xxxxxxxxxxxx>]

Hi,

I got an interesting problem. On my IPv6 tunnel server, I do some simple 
IPv4 accounting using the ipchains bytecounter. Works good since over a year.

Now I want to count also my tunneled IPv6 traffic. I've installed 2 rules 
in a new chain:

IPBASIC="IPv4 address of tunnel's Ethernet interface"

ipchains -N ipaccV6
ipchains -A input  -p 41 -d $IPBASIC -j ipaccV6
ipchains -A output -p 41 -s $IPBASIC -j ipaccV6
ipchains -A ipaccV6 -j ACCEPT

The basic chains are all end with a deny/reject log, also the policy is 
similiar. Forwarding similar.

Now the strange behavior:
The input related chain counts packets, the outgoing not!

Is it possible, that the ipchains outgoing ruleset did not work for 
tunneled IPv6 packets?

Here an IPv4-tcpdump only output from a ping6 via that tunnel


17:47:58.777634 eth0 < 6BONE.UNI-MUENSTER.DE > tunnel.bieringer.de: 
ip-proto-41 104
17:47:58.777634 sit0 < 0:0:0:0:0:0 0:0:0:0:0:1 ipv6 118:
* counted *

17:47:58.777882 sit0 > 0:0:0:0:0:0 0:0:0:0:0:0 ipv6 118:
17:47:58.777937 eth0 > tunnel.bieringer.de > p3E991650.dip.t-dialin.net: 
ip-proto-41 104 (DF)
* not counted*

Can someone please test such behavior?

Used: Kernel 2.2.17 + Openwall-Patch, ipchains 1.3.9, 17-Mar-1999

TIA,
        Peter