GSM 04.64 8.4.2 asks to ignore UI frames if the DLCI is not known,
or if the "(V(UR)- 32) <= N(U) < V(UR)". E.g. if we want to have
V(UR) == 511 and this frame is dropped, we would ignore N(U)'s
0 to 510. Calculate the delta.
The code is based on Jonathan Santos's "LLC UI window" fix but the
issue was discovered independly.
The osmo-nitb application sometimes crashes because the BSC API
is doing an assignment underneath which is not handled by the code,
add dumy handlers to not crash, the right thing to do is to change
MNCC to have an assignment that can succeed/fail.
The keyword to look for is MNCC_LCHAN_MODIFY and mncc_sock should
wait for an ack/nack but right now the call just continues.
The UTC offset from the operating system will be used by default to
calculate the NITZ in MM INFO. However, a "timezone" vty command is
added at the BTS level, allowing BTS-specific overrides, e.g. in case
BTSs are distributed accross multiple timezones.
The BSS-side of BSSGP requires quite a number of additional functions
for sending unidirectional messages that a SGSN never sends.
This is a first step into completing the BSSGP implementation and making
it ready to be used from osmo-bts and other BTS-side GPRS
implementations.
Send a hello packet down to the client with the version number
of the MNCC interface. The hello structure might be extended to
include the endianes, size of each structure, etc.
In this iteration I just want to make sure that each VTY command has
online help. Replace "a b" with "a-b" if there is no "a c" with b!=c.
This config should gain some more sanity and consistency, this will
happen in another iteration.
Also make sure to specify seconds in the 'seconds' field. Doing
otherwise is an abuse that non longer works with the new timer infra.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
do_reset was not initialized anywhere anymore, so the reset was never
triggered. It's now fixed and we add an option to skip it in the
config so that when in production, you can restart without config
changes quickly.
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
In case a MS (of which we have no MM context) sends us anything but a
GMM ATTACH REQUEST, we need to send it a LLC XID RESET (by means of
issuing LLGMM-RESET.req). Otherwise the phone will expect us to send a
specific unacknowledged sequence number that we don't know.
Thanks to Holger for pointing this bug out to me.
It seems to commonly occur when a MS is doing network re-selection and
(erroneously) sends a RA UPD REQ instead of an ATTACH REQ. The RA UPD
REJ that we sent was never seen by the GMM entity in the MS, as the LLC
entity discarded it due to sequence number mis-match.
Using LLGMM-RESET.req, the GMM can request the LLC of the MS to reset
all its parameters, particularly the sequence numbers. We don't yet do
XID RESET retransmissions, and we don't yet generate a LLGMM-RESET.conf
primitive back to GMM.
Ubuntu 11.10 has changed some linker/compiler flags. Some fixes for this
can be seen here[1]. In general the to be linked libs need to be moved into
the LDADD section of parameters. This is with the old BFD linker (not gold).
This is likely to end in some ping-pong with other versions of the linker.
[1] https://bugs.launchpad.net/ubuntu/+source/nis/+bug/771034
Errors:
/usr/bin/ld.bfd.real: bsc_hack.o: undefined reference to symbol 'osmo_init_ignore_signals'
/usr/bin/ld.bfd.real: note: 'osmo_init_ignore_signals' is defined in DSO /home/ich/install/openbsc/lib/libosmocore.so so try adding it to the linker command line
/home/ich/install/openbsc/lib/libosmocore.so: could not read symbols: Invalid operation
...
../../src/libbsc/libbsc.a(rest_octets.o):/home/ich/source/gsm/openbsc/openbsc/src/libbsc/rest_octets.c:381: more undefined references to `bitvec_set_bit' follow
../../src/libbsc/libbsc.a(rest_octets.o): In function `rest_octets_si13':
/home/ich/source/gsm/openbsc/openbsc/src/libbsc/rest_octets.c:382: undefined reference to `bitvec_set_uint'
/home/ich/source/gsm/openbsc/openbsc/src/libbsc/rest_octets.c:383: undefined reference to `bitvec_set_uint'
/home/ich/source/gsm/openbsc/openbsc/src/libbsc/rest_octets.c:385: undefined reference to `bitvec_set_bit'
/home/ich/source/gsm/openbsc/openbsc/src/libbsc/rest_octets.c:402: undefined reference to `bitvec_set_bit'
/home/ich/source/gsm/openbsc/openbsc/src/libbsc/rest_octets.c:403: undefined reference to `bitvec_set_uint'
gprs_gmm.c:240:2: warning: passing argument 4 of ‘gprs_llc_tx_ui’ discards qualifiers from pointer target type
../../include/openbsc/gprs_llc.h:151:5: note: expected ‘void *’ but argument is of type ‘const struct sgsn_mm_ctx *’
gprs_gmm.c:349:11: warning: unused variable ‘ptsig’
gprs_gmm.c:601:5: warning: too many arguments for format
gprs_gmm.c:987:25: warning: initialization discards qualifiers from pointer target type
gprs_gmm.c:1010:6: warning: ‘rc’ may be used uninitialized in this function
When the BTS reboots it might not want to accept our BTS Attr,
do not leave the bsc_msc_ip/bsc_nitb but simply drop the BTS
connection.
Manually cherry-picked from: 54e6c8b3400b376ed36fe84f28f7930d2d9ff24b
The libosmo-abis merge broke Ericsson RBS support, as it didn't get the
part right where the per-TRX OML sign_link is determined while
transmitting OM2000 messages.
As a result of this fix, we can remove the 'to_trx_oml' parameter to
_abis_nm_sendmsg(), which is a nice cleanup.
In order to have the MNCC application reliably decide on the codec type,
it needs to know if we are running on a TCH/F or TCH/H. Thus, we pass
lchan_mode as a new parameter to the 'struct gsm_mncc'
When gsm48_send_rr_ass_cmd() is being called to send the ASSIGNMENT
COMMAND, we need to use the propwer lchan->ms_power setting, not
some fixed magic "0x3" number.
Without this patch, every MS would transmit at a very high output power
fullowing an assignment command - more than what was set in the config
file with "ms max power"
In case of a nack the secondary_lchan will be NULLed but then the T10
timeout will attempt to release the channel and we will try to release
a NULL pointer.
Daniel witnessed this crash at the camp and added the NULL check at:
28d9ccbca0, it is also the proper fix
given the _NAK handling.
When we got a clear request we did not clear the internal
association between the gsm_subscriber_connection and the SCCP
part. When we got a DTAP message before the CLEAR COMMAND we
will end up in a crash as the ->bts pointer of the connection
has been cleared.
#0 bsc_scan_msc_msg (conn=0xde178, msg=<value optimized out>) at osmo_bsc_filter.c:258
#1 0x000112c8 in bsc_handle_dt1 (conn=0xdebd8, msg=0xd1f58, len=<value optimized out>) at osmo_bsc_bssap.c:507
#2 0x00010208 in msc_outgoing_sccp_data (conn=<value optimized out>, msg=0xdfacc, len=858696) at osmo_bsc_sccp.c:73
#3 0x0003c110 in sccp_system_incoming (msgb=0xd1f58) at sccp.c:1064
Remove the separation of half-rate and full-rate AMR. The used rate
can be found inside the AMR payload. The signalling of what kind of
traffic channel is used can be done with the GSM 08.08 Chosen
Channel IE in the Assignment Complete message.
This way I can use a fixed payload type in the MGCP GateWay but
have a mixed TCH/F and TCH/H config. E.g. use TCH/F FR3 for some
subscribers when connected to MSC A but use AMR5.9 on a TCH/F for
MSC B when all TCH/Hs are gone.
When the CRCX 200 is lost on the way to the CallAgent we will
get another CRCX (retransmission) which was answered with a 400.
Change the code to extract the CallID, Mode and the optional
LocalOptions first. Then check if the endp is allocated with the
same call identifier, in that case return the current session
information.
The SDP file for FreeSWITCH should contain o= (Origin) and the
t= (Timing) for the session. The data of the Origin should be
globally unique but this is not the case yet. We will need to
store the (NTP) time of the creation of the endpoint.
Move the regexp parsing code from the NAT to libcommon as it will
be used by the NAT and BSC code. This also adds the #include <regex.h>
include to gsm_data. This header should be split up.
This is a big patch that ports openBSC over libosmo-abis.
Sorry, the changes that are included here are all dependent
of libosmo-abis, splitting them into smaller pieces would
leave the repository in some intermediate state, which is
not desired.
The main changes are:
- The directory libabis/ has been removed as it now lives in
libosmo-abis.
- new configuration file format for nanoBTS and HSL femto, we
need to define the virtual e1_line and attach it to the OML
link.
- all the existing BTS drivers (nanoBTS, hsl femto, Nokia site,
BS11 and rbs2000) now use the new libosmo-abis framework.
- use r232 input driver available in libosmo-abis for bs11_config.
- use ipa_msg_recv instead of old ipaccess_read_msg function.
- delete definition of gsm_e1_subslot and input_signal_data.
These structures now lives in libosmo-abis.
Most of this patch are deletions of libabis/ which has been
moved to libosmo-abis.
This patch also modifies openBSC to use all the new definitions
available in libosmocore and libosmo-abis. In order to do that,
we have replaced the following:
- DINP, DMI, DMIB and DMUX by their respective DL* correspondences.
- SS_GLOBAL by SS_L_GLOBAL
- SS_INPUT by SS_L_INPUT
- S_GLOBAL_SHUTDOWN by S_L_GLOBAL_SHUTDOWN
- SS_INPUT by SS_L_INPUT
- S_INP_* by S_L_INP_* sub-signals
- E1INP_NODE by L_E1INP_NODE vty node
This patch has been tested with:
- one nanoBTS
- the HSL femto with the examples available under libosmo-abis
- BS11 with both dahdi and misdn drivers.
This patch modifies openBSC code to use msg->dst which stores the
pointer to the signalling link structure instead of the pointer to
the transceiver structure.
This patch prepares the introduction of libosmo-abis.
It is possible that MNCC sends a MNCC_LCHAN_MODIFY and
wants a channel mode that is not possible on the current
lchan, in that case a new channel is assigned. We now crash
as the osmo-nitb is not having an assignment complete handler,
add a NULL check.
The Nokia metrosite BTS seem to keep the channels open indefinitely.
If osmo-nitb is restarted while one of the channel was still active
and tries to activate that channel again the bts would return a
CHANNEL ACTIVATE NACK with "Radio channel already activated". This
accumulated over the restarts so soon enough no more channels were
available.
This patch sends a release request to the bts so the channel
becomes available again.
The function lchan_alloc only considers lchans to be available if both
the type and state are NONE. So change show lchan to list all lchans
that are not considered available.
This will cause the remote end to read 0 bytes, which is interpreted as
if we cleanly closed the socket, making the remote end close their side
of the socket, which would lead to us closing our side of the socket,
so we should never send such a packet.
The timer callback will simply reset the lchan state to NONE in order
to prevent channels getting stuck in 'activation requested' or
'deactivation requested' states.
During the GSM deployment in the CCC Camp, Daniel Willmann
noticed that the LCR and the MNCC were closing the local
connection over unix sockets communication quite so often.
After some debugging, Peter Stuge noticed that openBSC was
closing the connection since write was returning 0.
Then, I suggested that it could be a malformed message with
zero length. By skipping empty messages, Peter confirmed that
the connection between the LCR and the MNCC was not closing
anymore. However, there was no voice in the calls that went
over MNCC.
After some more debugging I found that we were not building
GSM_TCHF_FRAME over MNCC appropriately in the TRAU multiplexer
code, since we forgot to msgb_put() the message.
Scenario: BTS are configured and working, then the BSC stops working
for some reason (crash or administrative stop).
If the BSC comes back to life, LAPD among other things does not know
about the previous existing TEIs. Instead of ignoring these frames,
we notify the driver that we are seeing frames with unknown TEIs, so
it can try to recover, e.g. by resending the SABM message.
Running the entire bts_nokia_site.c through the 'Lindent' script
to match indent/coding style with remainder of project.
There are still lots of other cleanups pending, but this one is
a purely cosmetic one.
DAHDI creates one device node for every E1 timeslot, starting from '1',
and keeps incrementing that number even for additional ports/cards.
Thus, we have to use the e1inp_line number multiplied by 31 as a base.
The byte ordering is a bit odd: The least significant byte is ahead of
the most significant byte, different from everything else in GSM that
seems to be big-endian.
Thanks to Seungju Kim <admin@manateeshome.com> for repoerting the bug.
This fixes a bug introduced more than one year ago in commit
e38bd6caa34005816a9336f021fd17d328d5c901:
The RSL_IE_CHAN_IDENT is a TLV, but the GSM48_IE_CHANDESC_2 contained in
it, is a mere TV type IE with fixed length.
The problem specifically has caused problems on Nokia MetroSite BTS,
which apparently read the TSC out of this Layer3 IE.
The MS Radio Access Capability IE can be _very_ long in some recent
high-end mobile phones, way beyond the old 14-byte limit. We increase
our array to 52 bytes, and make sure not to overflow that buffer.
It was possible to set the LAC=0 on a subscriber that just has
done a LU because it did not respond to a paging request.
E.g. when a phone is rebooting, a SMS being delivered, the phone
is doing the LU, sub_ready_for_sm will try to send a SMS (but the
phone is not ready yet and it will timeout), then the paging code will
send us an expiration note and we might set the LAC=0 for this
subscriber.
Ideally we would be able to stop the paging request once the subscriber
is authenticated and then hand this to the SMS layer, right now the
best thing to do is to detect that we will run into this problem and
not send the SMS, not try to set the LAC=0.
When the BSC is refusing to open an outgoing connection the SCCP
connection was leaked. Use the normal free as the socket should
be either closed or disconnected.
Reset the BTS MO State on BTS bootstrap. This way we will always
test the BTS disconnect/reconnect case of the BTS.
Do not reset the administrative state of objects. The BSC might
have set these and wants to maintain them across disconnect/
reconnect. Right now this is true for the TRX state.
We want to compare the file more_magic[0] and more_magic[1]
with the static more_magic array to see where the difference
is.
src/ipaccess/ipaccess-firmware.c +64 ipaccess_analyze_file(26) warn: buffer overflow 'firmware_header->more_magic' 2 <= 2
src/ipaccess/ipaccess-firmware.c +64 ipaccess_analyze_file(26) warn: buffer overflow 'firmware_header->more_magic' 2 <= 3
* net.location to get/set the geographical location of the network
format is <tstamp>,<lat>,<lon>,<height>
* per trx rf_locked command (net.bts0.trx0.rf_locked)
* network-wide rf_locked command (net.rf_locked)
These commands are installed in controlif_setup. Query them like this:
"rate_ctr.<interval>.<counter group>.<index>.<counter name>" for rate
counters and "counter.<counter name>" for regular counters. <interval>
may be either "abs" for absolute values or one or
"per_{sec,min,hour,day}".
It is possible to query all rate counters in a group (regardless of
index) or all counters in a group and with a certain index if you omit
<counter name> and <index> or just <counter name>.
due to a missing return statement, we ran into the 'reject' case
of bssmap_handle_cipher_mode(). Due to another bug in libosmocore,
the reject message was corrupted (fixed in libosmocore commit
0c83670a595a278b7d1fb7b21b2eacab84d3c031)
GCC 4.6.0 and LD.BFD 2.21 on ARM somehow fail to resolve
the dbi symbols when we have the library in front of the
static libraries, move them to the back.
The idea that MCC and MNC is enough to classify a subscriber
turns out to be wrong. Certain operatos license a number range
of IMSIs to others. When we see a '^' in the MCC field we treat
it as a regexp. The code now turns the MCC/MNC into a regexp
for the IMSI. It is not using extended POSIX regexp to match
the behavior of the access list.
Separate the code to patch the code and the code to find a
new number based on the old number. This will allow to add
multiple targets for number changing.
This patch fixes a segfault that occured when a ipaccess RSL link gets
closed unexpectedly.
The segfault can be provoked by connecting to the RSL port with ncat and
hitting ^C.
This should not introduce any functional changes, it just re-arranges
some definitions in the header file, and introduces the ROLE_BSC
define that we enable for the BSC-specific fields.
The daemons set up nanoBTS and HSL femto sockets by default, ie. the
three sockets to support these two drivers are open even if we have
no BTS of that kind.
This patch enables on-demand socket creation, ie. we only enable them
if we have one BTS at least that requires it.
I added two new attributes to the gsm_bts object, they are:
* the start() function includes the code that we need to run to start
the BTS. This new function contains the socket creation in the
particular case of nanoBTS and HSL femto.
* the started boolean, which is used to know if we have already
started the BTS, ie. we have already invoked start().
Note that, I have splitted the bts_model_*_init() function into two
functions, the _init() functions that register the BTS driver
and the _start() functions that start BTS driver on-demand.
While I was at it, I added several changes/cleanups to this patch:
* Group all bts_model_*_init() calls into one function bts_init(),
which is called in the initialization path of osmo-nitb and
osmo-bsc.
* Add openbsc/bss.h that contains the declaration of
bsc_bootstrap_network, bsc_shutdown_net and bts_init.
* Add missing e1inp_init() in osmo-bsc.
* Fix missing declaration of hsl_setup in openbsc/e1_input.h
The error message was missing in case of problems bootstrapping the BTS.
The E1 input driver initialization was displayed in the standard output,
now this error is reported via logs.
With this patch, we don't include e1_input if it's empty
[...]
timeslot 7
phys_chan_config TCH/F
hopping enabled 0
e1_input <----------------- empty, it should not show up.
msc
[...]
Pablo pointed out that my previous commit was rubish. If we have
less than two arguments we want ifname to remain NULL and if we
have a second argument (or more) we want to use that as the interface
name to bind to.
Use the libosmocore code to ignore certain signals by
default (e.g. SIGHUP, SIGPIPE) and use the new code to
create a default stderr logging target and initialize
it properly.
This patch adds several messages that would be displayed if:
* the Ki argument is missing.
* you pass an invalid Ki.
* the database fails to perform the operation (add/delete/update).
Before this patch, no messages were spotted on this errors.
I noticed this while adding Ki to the existing subscribers in the
nanoBTS setup: I introduced a wrong Ki but the VTY command line did
not report any error. A quick look at the database via sqlite
command confirmed that the new authkey information was not added.
Introduce a paging group that a BSC can refer to and is used
during the LAC lookup. This way paging can be flooded through
the network and just filtered at the last element in the core.
The current code tries to find _one_ bsc for a paging message
and then continues. The new code will try to find multiple BSCs
for each LAC. This is done in preparation of having two BSCs
handle the same LAC. This code right now is O(m*n) but it will
be worse once paging groups are landed.
The code to test the function was reduced to just test the lac
lookup code as the other part can not be tested in a standalone
setup anymore.
The code to create the struct gsm_bts is in libcommon right now
and we can not call paging_init from there. Right now it appears
to be the easiest of doing the init internally.
Be able to configure a list of destinations (duplicates allowed)
that will be tried in a round robin fashion. The change is in
the bsc_msc_connection to operate on a list. We achieve the
round robin nature with the same trick used in the paging code
to delete and append the current entry. The nat code was updated
to compile but one can only configure one destination.
For restarting the NAT we can now block it, it will not accept
new connections and for existing connections it will attempt
to drop them over time. A blocked NAT will end up with no BSC
connections left and then can be safely restarted.
In case this is a local USSD connection we will ignore
the clear command and respond with a RLC to any RLSD but
will never forward that to the BSC. This way the external
USSD is fully in charge of the connection.
There are theoretical issues if there are multiple transactions
on the same SCCP Connection but this can not be solved properly
right now.
Keep track of the used transaction identifier and always forward
messages to the USSD provider. E.g. this can be used to have a
dialogue going. Right now it is still possible that the MSC will
close down the connection.
We need to and out the protocol discriminator as call control
might have use transactions. This has only failed for the USSD
filter so far as this must deal with transactions.
With this patch, ipaccess-proxy makes more robust option checking:
$ ./ipaccess-proxy -l 1.1.1.1 -b 2.2.2.2 -e
ERROR: missing mandatory argument for `-e' option
And we return to shell to enforce the user to try again with the
appropriate invocation.
Before this patch, the default getopt_long() error handling was
enabled which displayed this message:
./ipaccess-proxy: option requires an argument -- 'e'
and ipaccess-proxy continued working.
This is generic enough to cover other option that require mandatory
arguments like `--bsc' and `--listen'.
Now ipaccess_idtag_parse() returns -EINVAL instead of -1. We also
check for the return value of this function in every invocation to
skip further processing in case of messages with malformed TLVs.
This idea was suggested by Zecke.
When we have no other MNCC connection but the registeration of the
new fd is failing we should not disable reading from the listen_fd
for ever as the situation might not be permanent.
Holger Hans Peter Freyther
Alexander Huemer
Harald Welte
Sylvain Munaut
Dieter Spaar