[S] Change in osmo-upf[master]: manual: explain IP forwarding

neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-upf/+/35668?usp=email ) Change subject: manual: explain IP forwarding ...................................................................... manual: explain IP forwarding Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde --- M doc/manuals/chapters/running.adoc 1 file changed, 47 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/68/35668/1 diff --git a/doc/manuals/chapters/running.adoc b/doc/manuals/chapters/running.adoc index d1a399b..ee66970 100644 --- a/doc/manuals/chapters/running.adoc +++ b/doc/manuals/chapters/running.adoc @@ -167,7 +167,7 @@ The Linux kernel netfilter module is used for GTP tunnel proxying, also known as tunnel forwarding or tunnel mapping. -When using the netfilter module, you may set up `osmo-upf.cfg` for: +When using the netfilter module, you should configure: - GTP Echo (required) - netfilter table name (optional) @@ -220,3 +220,40 @@ When running more than one osmo-upf process on a system, pick distinct table names to avoid name collisions in the nftables rulesets. + +=== IP Forwarding + +In order to allow the forwarding GTP payloads, the Linux operating system must +be configured to allow IP forwarding. There are several options: + +To allow IP forwarding from and to all interfaces globally in a reboot-safe way, +you may put a line like this in /etc/sysctl.conf: + +---- +net.ipv4.ip_forward=1 +---- + +To do the same in an ad-hoc way that is not reboot safe but takes effect +immediately: + +---- +sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" +---- + +The above options may be too permissive for your production environment. It is +possible to instruct netfilter to allow IP forwarding for specific interfaces +only, with a configuration like this: + +---- +define gtp_netdevs = { eth0, eth23 }; + +table inet filter { + chain forward { + type filter hook forward priority filter; policy drop; + iifname $gtp_netdevs oifname $gtp_netdevs udp dport 2152 accept + } +} +---- + +This netfilter ruleset allows IP forwarding, but limited to the GTP-U port 2152, +and to two specific network interfaces eth0 and eth23. -- To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/35668?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-upf Gerrit-Branch: master Gerrit-Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde Gerrit-Change-Number: 35668 Gerrit-PatchSet: 1 Gerrit-Owner: neels <nhofmeyr(a)sysmocom.de> Gerrit-MessageType: newchange