GRE tunnels with firewalld

[nylarahotep]

I have set up a GRE tunnel between two CentOS 7 systems. The tunnel works -- I can send packets back and forth, ping the tunnel interfaces, etc.
I've trying to figure the minimalist firewall rules for the tunnel to work, and it's confusing. I should think that just enabling the GRE protocol would work, but it doesn't.

A rule that accepts all packets from the peer works:
firewall-cmd --zone=<internal> --add-rich-rule='rule family=ipv4 source address="ww.xx.yy.zz" accept'

However if I ty to limit to just GRE packets, the tunnel doesn't work:
firewall-cmd --zone=<internal> --add-rich-rule='rule family=ipv4 source address="ww.xx.yy.zz" protocol value=gre accept'

or just GRE packets:
firewall-cmd --zone=<internal> --add-rich-rule='rule family=ipv4 protocol value=gre accept'

If I enable firewalld logging, I see the packets getting rejected
STATE_INVALID_DROP ... PROTO=47

I can provide lots more configuration details. Any hints would be appreciated.

[aks]

s been a while since I had to do anything like this, but from memory, set the protocol id to match firewalld (aka iptables) and manipulate the traffic based on the protocol id.

[nylarahotep]

Sorry, not quite following you there. The 'protocol id' is 47 (GRE). Not sure what you mean by 'manipulate' the traffic, but adding the protocol or rich rules specifying the protocol seems to have no effect; packets get dropped. Adding the tunnel interface or IP address has no effect either. This latter is confirmed by the logging, since the packet getting dropped is the physical interface address, not the tunnel.