We see GTP-U originating from ports other than 2152 in the field. When
osmo-upf forwards these, we want to forward from our GTP-U port 2152,
since that is the only port osmo-upf has bound for GTP-U (for echo).
According to 3GPP TS 29.060, the *destination* port for GTP-U shall be
2152 -- but the source port is apparently allowed to be different.
Before this patch, we would forward GTP-U like this:
3.3.3.3:33333 -> (3.3.3.4:2152 UPF 2.2.2.2:33333) -> 1.1.1.1:2152
^^^^^
Instead we want to always send from UDP source port 2152:
3.3.3.3:33333 -> (3.3.3.4:2152 UPF 2.2.2.2:2152) -> 1.1.1.1:2152
^^^^
This hasn't shown up before because so far all GTP-U peers we saw
consistently used source port 2152.
Related: SYS#6773
Change-Id: Idaf43f1c2b915846b50a8b97305f0229e34ad539
Make the nft table owned by the osmo-upf process, so that any kind of
graceful or ungraceful exit will drop all tunmap rules implicitly.
Related: SYS#6327 SYS#6264
Change-Id: Ia26bb295849905ccfeaec801d7b187bf85f21366
Take care of two problems:
- limitation of <= 1024 base chains in nftables, so far meaning we can
establish at most 1024 GTP tunnel mappings.
- mangling of source IP in prerouting so far meaning that the system
needs to be configured to permit 'martian' packets
The new ruleset separates in pre- and post-routing, so that we set a new
destination IP address in pre-routing, and set a new source IP address
in post-routing. Hence no problem with martian packet rejection.
The new ruleset uses verdict maps, which are more efficient, and do not
hit a limit of 1024 as base chains do.
Before, the nft rule used one chain id. In the new ruleset, each tunmap
now needs two distinct chain ids. Refactor.
Related: SYS#6327 SYS#6264
Change-Id: Iccb975a1c0f8a2087f7b7dc4942a6b41f5675a13
Subsequent patch will refactor the tunmap nft ruleset. Instead of
adapting the 'tunmap append' feature to the new ruleset, rather drop
this feature entirely.
The 'nft rule tunmap append' was intended for enabling 'trace' in the
nft ruleset. However, the same can be achieved via the nft cmdline tool.
For example:
sudo nft 'add chain filter trace_chain { type filter hook prerouting priority -301; }'
sudo nft 'add rule filter trace_chain meta nftrace set 1'
Related: SYS#6327 SYS#6264
Change-Id: I1ae36f2f520217254c81fd765d27333ff0f457b2
This 'accept' is not an optional addition, it should always be present.
(Just saying because previous patch added a VTY command to configure
additions to the rules, and this patch is orthogonal to that.)
Related: OS#5810
Change-Id: I129133cc5d7180ce3761d5604d602d23a5ef9825
It can be useful to add 'meta nftrace set 1' to nftables rules to help
analysis / site debugging. Add the possibility to do this by cfg.
Instead of adding the fixed string of 'meta nftrace set 1', allow
appending arbitrary strings to the nftables rules, to accomodate any
other future tweaks that may be useful.
Related: SYS#6192
Change-Id: Ia1fac67108902a48b43d8d1dc184ccf541fd9ba8
Add VTY command to print out an nftables ruleset that osmo-upf produces,
with arbitrary IP addrs / TEIDs inserted. This allows tracking in *.vty
tests how the nftables rulesets are changed by patches.
future:
- Adding the 'tunmap' keyword to allow adding show commands for
different uses of nftables.
- Adding the 'example' keyword to allow adding show commands for
actual tunmap IDs / PFCP session IDs / ...
- Matches upcoming vty commands
'nft-rule tunmap append .NFT_RULE'
'no nft-rule tunmap append'
'show nft-rule tunmap append'
Add new separate nft-rule.vty -- more to come here in upcoming patch.
Change-Id: I9b57aa492c051e480c9bd819ae58f8f59a13af40
Neels Hofmeyr