[M] Change in osmo-upf[master]: manual: explain IP forwarding

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-upf/+/35668?usp=email ) Change subject: manual: explain IP forwarding ...................................................................... manual: explain IP forwarding Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde --- M doc/manuals/chapters/running.adoc 1 file changed, 50 insertions(+), 0 deletions(-) Approvals: laforge: Looks good to me, approved Jenkins Builder: Verified neels: Looks good to me, but someone else must approve diff --git a/doc/manuals/chapters/running.adoc b/doc/manuals/chapters/running.adoc index eda1a6d..c0ba066 100644 --- a/doc/manuals/chapters/running.adoc +++ b/doc/manuals/chapters/running.adoc @@ -226,3 +226,44 @@ When running more than one osmo-upf process on a system, pick distinct table names to avoid name collisions in the nftables rulesets. + +=== IP Forwarding + +In order to allow forwarding GTP payloads, the Linux operating system must +be configured to allow IP forwarding. + +Note that there are many distribution-specific ways to configure this, and there +might be higher-level firewall rule management software available like `ufw`. +You should configure firewall rules matching your distribution and setup. + +To allow IP forwarding from and to all interfaces globally in a reboot-safe way, +you may put a line like this in /etc/sysctl.conf: + +---- +net.ipv4.ip_forward=1 +---- + +To do the same in an ad-hoc way that is not reboot safe but takes effect +immediately: + +---- +sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" +---- + +It is also possible to instruct the firewall to allow IP forwarding for specific +network devices only. For example, on a Debian based system, place an nft +ruleset like this in `/etc/nftables.conf`: + +---- +define gtp_netdevs = { eth0, eth23 }; + +table inet filter { + chain forward { + type filter hook forward priority filter; policy drop; + iifname $gtp_netdevs oifname $gtp_netdevs udp dport 2152 accept + } +} +---- + +This ruleset allows IP forwarding, but limited to the GTP-U port 2152, +and to two specific network devices eth0 and eth23. -- To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/35668?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-upf Gerrit-Branch: master Gerrit-Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde Gerrit-Change-Number: 35668 Gerrit-PatchSet: 4 Gerrit-Owner: neels <nhofmeyr(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: neels <nhofmeyr(a)sysmocom.de> Gerrit-MessageType: merged