Neels Hofmeyr
4e1c680e59
Take care of two problems: - limitation of <= 1024 base chains in nftables, so far meaning we can establish at most 1024 GTP tunnel mappings. - mangling of source IP in prerouting so far meaning that the system needs to be configured to permit 'martian' packets The new ruleset separates in pre- and post-routing, so that we set a new destination IP address in pre-routing, and set a new source IP address in post-routing. Hence no problem with martian packet rejection. The new ruleset uses verdict maps, which are more efficient, and do not hit a limit of 1024 as base chains do. Before, the nft rule used one chain id. In the new ruleset, each tunmap now needs two distinct chain ids. Refactor. Related: SYS#6327 SYS#6264 Change-Id: Iccb975a1c0f8a2087f7b7dc4942a6b41f5675a13 |
||
---|---|---|
.. | ||
Makefile.am | ||
atlocal.in | ||
netinst.vty | ||
nft-rule.vty | ||
testsuite.at | ||
upf.vty |