neels has uploaded this change for review.
vty: add: show nft-rule tunmap example
Add VTY command to print out an nftables ruleset that osmo-upf produces,
with arbitrary IP addrs / TEIDs inserted. This allows tracking in *.vty
tests how the nftables rulesets are changed by patches.
future:
- Adding the 'tunmap' keyword to allow adding show commands for
different uses of nftables.
- Adding the 'example' keyword to allow adding show commands for
actual tunmap IDs / PFCP session IDs / ...
- Matches upcoming vty commands
'nft-rule tunmap append .NFT_RULE'
'no nft-rule tunmap append'
'show nft-rule tunmap append'
Add new separate nft-rule.vty -- more to come here in upcoming patch.
Change-Id: I9b57aa492c051e480c9bd819ae58f8f59a13af40
---
M src/osmo-upf/upf_nft.c
M src/osmo-upf/upf_vty.c
A tests/nft-rule.vty
M tests/upf.vty
4 files changed, 65 insertions(+), 3 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/99/30499/1
diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c
index afc2fac..a0f005d 100644
--- a/src/osmo-upf/upf_nft.c
+++ b/src/osmo-upf/upf_nft.c
@@ -64,6 +64,12 @@
int upf_nft_init()
{
int rc;
+
+ /* Always set up the default settings, also in mockup mode, so that the VTY reflects sane values */
+ if (!g_upf->nft.table_name)
+ g_upf->nft.table_name = talloc_strdup(g_upf, "osmo-upf");
+
+ /* When in mockup mode, do not set up nft_ctx and netfilter table */
if (g_upf->nft.mockup) {
LOGP(DNFT, LOGL_NOTICE,
"tunmap/mockup active: not allocating libnftables nft_ctx. FOR TESTING PURPOSES ONLY.\n");
@@ -76,9 +82,6 @@
return -EIO;
}
- if (!g_upf->nft.table_name)
- g_upf->nft.table_name = talloc_strdup(g_upf, "osmo-upf");
-
rc = upf_nft_run(upf_nft_ruleset_table_create(OTC_SELECT, g_upf->nft.table_name));
if (rc) {
LOGP(DNFT, LOGL_ERROR, "Failed to create nft table %s\n",
diff --git a/src/osmo-upf/upf_vty.c b/src/osmo-upf/upf_vty.c
index aff7590..6d74b21 100644
--- a/src/osmo-upf/upf_vty.c
+++ b/src/osmo-upf/upf_vty.c
@@ -254,6 +254,43 @@
return CMD_SUCCESS;
}
+#define NFT_RULE_STR "nftables rule specifics\n"
+#define TUNMAP_STR "GTP tunmap use case (a.k.a. forwarding between two GTP tunnels)\n"
+
+DEFUN(show_nft_rule_tunmap_example, show_nft_rule_tunmap_example_cmd,
+ "show nft-rule tunmap example",
+ SHOW_STR NFT_RULE_STR TUNMAP_STR
+ "Print a complete nftables ruleset for a tunmap filled with example IP addresses and TEIDs\n")
+{
+ struct osmo_sockaddr_str str = {};
+ struct upf_nft_tunmap_desc d = {
+ .access = {
+ .local_teid = 0x201,
+ .remote_teid = 0x102,
+ },
+ .core = {
+ .local_teid = 0x203,
+ .remote_teid = 0x302,
+ },
+ .id = 123,
+ };
+
+ osmo_sockaddr_str_from_str2(&str, "1.1.1.1");
+ osmo_sockaddr_str_to_sockaddr(&str, &d.access.gtp_remote_addr.u.sas);
+
+ osmo_sockaddr_str_from_str2(&str, "2.2.2.1");
+ osmo_sockaddr_str_to_sockaddr(&str, &d.access.gtp_local_addr.u.sas);
+
+ osmo_sockaddr_str_from_str2(&str, "2.2.2.3");
+ osmo_sockaddr_str_to_sockaddr(&str, &d.core.gtp_local_addr.u.sas);
+
+ osmo_sockaddr_str_from_str2(&str, "3.3.3.3");
+ osmo_sockaddr_str_to_sockaddr(&str, &d.core.gtp_remote_addr.u.sas);
+
+ vty_out(vty, "%s%s", upf_nft_tunmap_get_ruleset_str(OTC_SELECT, &d), VTY_NEWLINE);
+ return CMD_SUCCESS;
+}
+
static struct cmd_node cfg_netinst_node = {
NETINST_NODE,
"%s(config-netinst)# ",
@@ -435,6 +472,7 @@
install_element(TUNMAP_NODE, &cfg_tunmap_mockup_cmd);
install_element(TUNMAP_NODE, &cfg_tunmap_no_mockup_cmd);
install_element(TUNMAP_NODE, &cfg_tunmap_table_name_cmd);
+ install_element(TUNMAP_NODE, &show_nft_rule_tunmap_example_cmd);
install_node(&cfg_netinst_node, config_write_netinst);
install_element(CONFIG_NODE, &cfg_netinst_cmd);
diff --git a/tests/nft-rule.vty b/tests/nft-rule.vty
new file mode 100644
index 0000000..f328871
--- /dev/null
+++ b/tests/nft-rule.vty
@@ -0,0 +1,8 @@
+OsmoUPF> enable
+OsmoUPF# configure terminal
+OsmoUPF(config)# tunmap
+
+OsmoUPF(config-tunmap)# show nft-rule tunmap example
+add chain inet osmo-upf tunmap123 { type filter hook prerouting priority -300; }
+add rule inet osmo-upf tunmap123 meta l4proto udp ip daddr 2.2.2.1 @ih,32,32 0x00000201 ip saddr set 2.2.2.3 ip daddr set 3.3.3.3 @ih,32,32 set 0x00000302 counter;
+add rule inet osmo-upf tunmap123 meta l4proto udp ip daddr 2.2.2.3 @ih,32,32 0x00000203 ip saddr set 2.2.2.1 ip daddr set 1.1.1.1 @ih,32,32 set 0x00000102 counter;
diff --git a/tests/upf.vty b/tests/upf.vty
index 5100b17..8931719 100644
--- a/tests/upf.vty
+++ b/tests/upf.vty
@@ -52,6 +52,7 @@
mockup
no mockup
table-name TABLE_NAME
+ show nft-rule tunmap example
OsmoUPF(config-tunmap)# exit
OsmoUPF(config)# tunmap
@@ -60,6 +61,7 @@
mockup
no mockup
table-name TABLE_NAME
+ show nft-rule tunmap example
OsmoUPF(config-tunmap)# mockup?
mockup don't actually send rulesets to nftables, just return success
@@ -70,3 +72,14 @@
table-name Set the nft inet table name to create and place GTP tunnel forwarding chains in (as in 'nft add table inet foo'). If multiple instances of osmo-upf are running on the same system, each osmo-upf must have its own table name. Otherwise the names of created forwarding chains will collide. The default table name is "osmo-upf".
OsmoUPF(config-tunmap)# table-name ?
TABLE_NAME nft inet table name
+
+OsmoUPF(config-tunmap)# show?
+ show Show running system information
+OsmoUPF(config-tunmap)# show ?
+...
+ nft-rule nftables rule specifics
+...
+OsmoUPF(config-tunmap)# show nft-rule ?
+ tunmap GTP tunmap use case (a.k.a. forwarding between two GTP tunnels)
+OsmoUPF(config-tunmap)# show nft-rule tunmap ?
+ example Print a complete nftables ruleset for a tunmap filled with example IP addresses and TEIDs
To view, visit change 30499. To unsubscribe, or for help writing mail filters, visit settings.