cellular-infrastructure
/
osmo-upf
mirror of https://gerrit.osmocom.org/osmo-upf
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
osmo-upf/tests
History
Neels Hofmeyr 4e1c680e59 tunmap: refactor nft ruleset: fix "martians" and "1024" 
Take care of two problems:
- limitation of <= 1024 base chains in nftables, so far meaning we can
  establish at most 1024 GTP tunnel mappings.
- mangling of source IP in prerouting so far meaning that the system
  needs to be configured to permit 'martian' packets

The new ruleset separates in pre- and post-routing, so that we set a new
destination IP address in pre-routing, and set a new source IP address
in post-routing. Hence no problem with martian packet rejection.

The new ruleset uses verdict maps, which are more efficient, and do not
hit a limit of 1024 as base chains do.

Before, the nft rule used one chain id. In the new ruleset, each tunmap
now needs two distinct chain ids. Refactor.

Related: SYS#6327 SYS#6264
Change-Id: Iccb975a1c0f8a2087f7b7dc4942a6b41f5675a13
 		2023-02-09 18:14:09 +01:00
..
Makefile.am add VTY option gtp/mockup, for VTY tests 2022-07-20 17:07:48 +02:00
atlocal.in initial osmocom boilerplate source tree 2022-01-21 01:45:44 +01:00
netinst.vty tunmap: choose local GTP addr by Network Instance IEs 2022-12-09 17:25:58 +00:00
nft-rule.vty tunmap: refactor nft ruleset: fix "martians" and "1024" 2023-02-09 18:14:09 +01:00
testsuite.at move libosmo-pfcp to libosmo-pfcp.git 2022-06-17 16:59:15 +02:00
upf.vty deprecate cfg 'nft rule tunmap append' 2023-02-09 00:13:08 +01:00