Subsequent patch will refactor the tunmap nft ruleset. Instead of
adapting the 'tunmap append' feature to the new ruleset, rather drop
this feature entirely.
The 'nft rule tunmap append' was intended for enabling 'trace' in the
nft ruleset. However, the same can be achieved via the nft cmdline tool.
For example:
sudo nft 'add chain filter trace_chain { type filter hook prerouting priority -301; }'
sudo nft 'add rule filter trace_chain meta nftrace set 1'
Related: SYS#6327 SYS#6264
Change-Id: I1ae36f2f520217254c81fd765d27333ff0f457b2
Implement handling of the Network Instance IEs from PFCP for tunend,
like already done for tunmap.
In 'tunend' cfg, allow indicating a local GTP address for both 'dev
create' and 'dev use'. Select a GTP device by the local address the
Network Instance IE in PFCP PDR indicates.
Related: SYS#6192
Change-Id: I376c09bfc1844df1e61d2efac17561fac614858b
It can be useful to add 'meta nftrace set 1' to nftables rules to help
analysis / site debugging. Add the possibility to do this by cfg.
Instead of adding the fixed string of 'meta nftrace set 1', allow
appending arbitrary strings to the nftables rules, to accomodate any
other future tweaks that may be useful.
Related: SYS#6192
Change-Id: Ia1fac67108902a48b43d8d1dc184ccf541fd9ba8
Add VTY command to print out an nftables ruleset that osmo-upf produces,
with arbitrary IP addrs / TEIDs inserted. This allows tracking in *.vty
tests how the nftables rulesets are changed by patches.
future:
- Adding the 'tunmap' keyword to allow adding show commands for
different uses of nftables.
- Adding the 'example' keyword to allow adding show commands for
actual tunmap IDs / PFCP session IDs / ...
- Matches upcoming vty commands
'nft-rule tunmap append .NFT_RULE'
'no nft-rule tunmap append'
'show nft-rule tunmap append'
Add new separate nft-rule.vty -- more to come here in upcoming patch.
Change-Id: I9b57aa492c051e480c9bd819ae58f8f59a13af40
Add 'netinst' config section to osmo-upf.cfg, to define Network Instance
name to local IP address mappings.
For the tunmap use case (forwarding GTP tunnels), heed the Network
Instance IEs in PFCP session creation and return IP addresses in F-TEIDs
accordingly.
Related: SYS#6192
Related: I37bebc7d6ef75c3e6ae05e81b83a1b5895839a64 (osmo-ttcn3-hacks)
Change-Id: I15ee046a1c37b83b8a83527a67a6215a30106d81
When there was only tunend implemented, it made sense to show on VTY
when no GTP kernel device was open. Since we now also have tunmap via
netfilter, drop the early exit.
Change-Id: I9a43a240f2ca55cf2ca237a83aa13e68a625d6ea
Rename 'show tunend' back to 'show gtp'.
Clarify the VTY doc.
While renaming 'gtp' to 'tunend', i also renamed the general 'show gtp'
VTY command by accident / by misunderstanding. This command shows all
GTP tunnel state, not just the tunend state.
Reverts a small portion of commit "VTY: rename 'gtp' to 'tunend'"
95eb2c6a89
I49ac7b1f8b5b74f586edfed1dfb29f9af55a521b
Change-Id: I8f619d4ddda3efffb62cf594878d3166cb37fe45
So far the config nodes were named after the implementation:
"GTP kernel module" = "gtp" and
"netfilter" = "nft"
We found that this is confusing, since both are related to handling GTP.
Rename "nft" to "tunmap"; a previous patch already renamed "gtp" to
"tunend".
Keep a hidden "nft" VTY cmd as backwards compat alias.
Related: SYS#6192
Change-Id: Ia3c5224dd3b5f5c9437bbdec997d02176818cc97
So far the config nodes were named after the implementation:
"GTP kernel module" = "gtp" and
"netfilter" = "nft"
We found that this is confusing, since both are related to handling GTP.
Rename "gtp" to "tunend"; a subsequent patch will rename "nft" to
"tunmap".
Keep a hidden "gtp" VTY cmd as backwards compat alias.
In log output, also print "tunend" instead of "endecaps"
(up_gtp_action_to_str_buf()).
Related: SYS#6192
Change-Id: I49ac7b1f8b5b74f586edfed1dfb29f9af55a521b
Clarify "Add" and "Delete" of GTP devices.
Clarify GTP device in config vs. real GTP device.
Clarify s/kernel/Linux kernel
Related: SYS#5599
Change-Id: I918e0a9a332e4dd4b71965614c19481eb41004d6
Implement support for PFCP rulesets that ask for mapping a GTP tunnel:
forwarding GTP payload between two GTP tunnels.
For a GTP tunnel mapping, dispatch netfilter rules that detect GTP
packets with a given source address and TEID, and replace the TEID and
destination address according to the PFCP ruleset.
The netfilter implementation is chosen to effect the packet rewriting
and forwarding to take place directly in the kernel, for high throughput
of GTP packets.
Related: SYS#5599
Change-Id: Ic0d319eb4f98cd51a5999c804c4203ab0bdda650
To avoid actions that require cap_net_admin permissions on build
servers, add this option to "dry run" all kernel GTP actions. Same will
be added for netfilter rules.
On startup, osmo-upf opens sockets to GTP kernel module / NFT ctx.
However, on build servers, this would require giving cap_net_admin
permissions just to run the VTY tests.
Related: SYS#5599
Change-Id: I3b9c796186307fd8562abcff3f0ccfab0e88b6c8
Neels Hofmeyr