fixeria has uploaded this change for review.
nft_kpi: add udp/2152 filtering rules separately
Change-Id: I36eb3b18751fc029297fb91545af2d28e61067fd
Related: SYS#7808
---
M src/osmo-hnbgw/nft_kpi.c
1 file changed, 31 insertions(+), 14 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/52/41752/1
diff --git a/src/osmo-hnbgw/nft_kpi.c b/src/osmo-hnbgw/nft_kpi.c
index f8671fc..5121320 100644
--- a/src/osmo-hnbgw/nft_kpi.c
+++ b/src/osmo-hnbgw/nft_kpi.c
@@ -325,33 +325,50 @@
}
/* worker thread */
-static int do_init_table(void)
+static int do_add_chain(bool uplink)
{
char cmd[1024];
struct osmo_strbuf sb = { .buf = cmd, .len = sizeof(cmd) };
/* add global nftables structures */
- OSMO_STRBUF_PRINTF(sb, "add table inet %s { flags owner; };\n", g_nft_thread->table_name);
OSMO_STRBUF_PRINTF(sb,
- "add chain inet %s gtpu-ul {"
- " type filter hook prerouting priority 0; policy accept;"
- " ip protocol != udp accept;"
- " udp dport != 2152 accept;"
+ "add chain inet %s gtpu-%s {"
+ " type filter hook %srouting priority 0; policy accept;"
"};\n",
- g_nft_thread->table_name);
- OSMO_STRBUF_PRINTF(sb,
- "add chain inet %s gtpu-dl {"
- " type filter hook postrouting priority 0; policy accept;"
- " ip protocol != udp accept;"
- " udp dport != 2152 accept;"
- "};\n",
- g_nft_thread->table_name);
+ g_nft_thread->table_name,
+ uplink ? "ul" : "dl",
+ uplink ? "pre" : "post");
+ OSMO_STRBUF_PRINTF(sb, "add rule inet %s gtpu-%s ip protocol != udp accept;\n",
+ g_nft_thread->table_name,
+ uplink ? "ul" : "dl");
+ OSMO_STRBUF_PRINTF(sb, "add rule inet %s gtpu-%s udp dport != 2152 accept;\n",
+ g_nft_thread->table_name,
+ uplink ? "ul" : "dl");
OSMO_ASSERT(sb.chars_needed < sizeof(cmd));
return nft_run_now(cmd, NULL, NULL);
}
/* worker thread */
+static int do_init_table(void)
+{
+ int rc;
+ char cmd[1024];
+ struct osmo_strbuf sb = { .buf = cmd, .len = sizeof(cmd) };
+
+ /* add global nftables structures */
+ OSMO_STRBUF_PRINTF(sb, "add table inet %s { flags owner; };\n", g_nft_thread->table_name);
+ OSMO_ASSERT(sb.chars_needed < sizeof(cmd));
+ if ((rc = nft_run_now(cmd, NULL, NULL)) != 0)
+ return rc;
+ if ((rc = do_add_chain(true)) != 0) /* gtpu-ul */
+ return rc;
+ if ((rc = do_add_chain(false)) != 0) /* gtpu-dl */
+ return rc;
+ return 0;
+}
+
+/* worker thread */
static void nft_t2m_enqueue(struct nft_thread *t, struct nft_thread_req *req)
{
LOGP(DNFT, LOGL_DEBUG, "main() <- %s: %s rc=%d\n", t->label, nft_thread_req_type_name[req->type], req->rc);
To view, visit change 41752. To unsubscribe, or for help writing mail filters, visit settings.