Subsequent patch will refactor the tunmap nft ruleset. Instead of
adapting the 'tunmap append' feature to the new ruleset, rather drop
this feature entirely.
The 'nft rule tunmap append' was intended for enabling 'trace' in the
nft ruleset. However, the same can be achieved via the nft cmdline tool.
For example:
sudo nft 'add chain filter trace_chain { type filter hook prerouting priority -301; }'
sudo nft 'add rule filter trace_chain meta nftrace set 1'
Related: SYS#6327 SYS#6264
Change-Id: I1ae36f2f520217254c81fd765d27333ff0f457b2
This 'accept' is not an optional addition, it should always be present.
(Just saying because previous patch added a VTY command to configure
additions to the rules, and this patch is orthogonal to that.)
Related: OS#5810
Change-Id: I129133cc5d7180ce3761d5604d602d23a5ef9825
It can be useful to add 'meta nftrace set 1' to nftables rules to help
analysis / site debugging. Add the possibility to do this by cfg.
Instead of adding the fixed string of 'meta nftrace set 1', allow
appending arbitrary strings to the nftables rules, to accomodate any
other future tweaks that may be useful.
Related: SYS#6192
Change-Id: Ia1fac67108902a48b43d8d1dc184ccf541fd9ba8
Add VTY command to print out an nftables ruleset that osmo-upf produces,
with arbitrary IP addrs / TEIDs inserted. This allows tracking in *.vty
tests how the nftables rulesets are changed by patches.
future:
- Adding the 'tunmap' keyword to allow adding show commands for
different uses of nftables.
- Adding the 'example' keyword to allow adding show commands for
actual tunmap IDs / PFCP session IDs / ...
- Matches upcoming vty commands
'nft-rule tunmap append .NFT_RULE'
'no nft-rule tunmap append'
'show nft-rule tunmap append'
Add new separate nft-rule.vty -- more to come here in upcoming patch.
Change-Id: I9b57aa492c051e480c9bd819ae58f8f59a13af40
Separate string composition of the nftables ruleset from the actual
actvation of the ruleset to nftables.
For a 'show' VTY command added in upcoming patch, I'd like to be able to
vty_out() an nftables rule set. Provide API for that.
Change-Id: I0124a68ccf1ac7b90c5cc32d0cbf58d0cc219ccc
Assert that all port numbers in osmo_sockaddr parts of up_gtp_action are
zero: uncover code paths that leak port numbers into the gtp_action API.
GTP and UE addresses have no port information. Port numbers in GTP,UE
addresses stored in struct osmo_sockaddr should be zero, so that
- to-string conversion via osmo_sockaddr_to_str_c() returns only an IP
address: for nftables rules and logging.
- osmo_sockaddr_cmp() matches on identical IP addresses "only", without
the port numbers causing mismatches: for finding tunnels and devs.
Change-Id: If49f1e82e8cb92b7225e85a7c3b059e0f7f92fa3
Make sure an assigned id is not overwritten.
So far this function was guaranteed to be called only once. But I would
like to allow getting the nftables ruleset string more than once in a
future patch. Prepare that.
Change-Id: I4e8c48c01fb2f5d4cfd223fe03abbf15b1a55670
also cosmetic: put the line ending in a separate PRINTF so that adding
or removing items to the rule in future patches does not affect the line
ending.
Change-Id: I6ff6f59fb24a18596aa60848fb00ac70deb1985f
So far the config nodes were named after the implementation:
"GTP kernel module" = "gtp" and
"netfilter" = "nft"
We found that this is confusing, since both are related to handling GTP.
Rename "nft" to "tunmap"; a previous patch already renamed "gtp" to
"tunend".
Keep a hidden "nft" VTY cmd as backwards compat alias.
Related: SYS#6192
Change-Id: Ia3c5224dd3b5f5c9437bbdec997d02176818cc97
There is no cmdline option --mockup-nft, that was an earlier stage of
the nftables mockup patch.
Related: SYS#5599
Change-Id: I2f77cfe727649bbdcebb4a656ebf97b186134ee8
Implement support for PFCP rulesets that ask for mapping a GTP tunnel:
forwarding GTP payload between two GTP tunnels.
For a GTP tunnel mapping, dispatch netfilter rules that detect GTP
packets with a given source address and TEID, and replace the TEID and
destination address according to the PFCP ruleset.
The netfilter implementation is chosen to effect the packet rewriting
and forwarding to take place directly in the kernel, for high throughput
of GTP packets.
Related: SYS#5599
Change-Id: Ic0d319eb4f98cd51a5999c804c4203ab0bdda650
Neels Hofmeyr