in RFC 4213, section 3.4, page 11, it says: If sufficient data bytes from the offending packet are available, the encapsulator MAY extract the encapsulated IPv6 packet and use it to generate an ICMPv6 message directed back to the originating IPv6 node, as shown below: +--------------+ | IPv4 Header | | dst = encaps | | node | +--------------+ | ICMPv4 | | Header | - - +--------------+ | IPv4 Header | | src = encaps | IPv4 | node | +--------------+ - - Packet | IPv6 | | Header | Original IPv6 in +--------------+ Packet - | Transport | Can be used to Error | Header | generate an +--------------+ ICMPv6 | | error message ~ Data ~ back to the source. | | - - +--------------+ - - but in the code, when receive a encapsulated ICMPv4 error packet, the stack is this: ip_rcv()->icmp_rcv()->icmp_unreach()->tunnel64_err()->ipip6_err() and in function ipip6_err(), it just use the src ipv4 and dst ipv4 address to get tunnel interface, but not decapsulate the packet or check whether there is enough ipv6 information in the packet. so when this function finish, use skb_free(), then the packet is dropped. so now i want to know, how to resolve this problem? can you give me a patch?