fixeria submitted this change.

View Change

Approvals: Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve osmith: Looks good to me, but someone else must approve fixeria: Looks good to me, approved 
nft_kpi: add udp/2152 filtering rules separately

Mixing declarative and imperative syntax is supported by recent
nftables versions, but is known to be broken in older releases.
This affects the nftables version currently provided by Osmocom
for Debian 12 (bookworm): 1.0.6.3~osmocom.429.7d98.

As a result, the generated ruleset ends up accepting all packets rather
than only udp/2152 as intended.  Consequently, the nftables counters do
not reflect GTP-U traffic alone, but also include signalling traffic.

Let's work this around by adding the udp/2152 filtering rules separately
using the imperative syntax.  Split the logic for adding a chain into
a separate function to avoid code duplication.

Change-Id: I36eb3b18751fc029297fb91545af2d28e61067fd
Related: SYS#7808
---
M src/osmo-hnbgw/nft_kpi.c
1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/src/osmo-hnbgw/nft_kpi.c b/src/osmo-hnbgw/nft_kpi.c
index f8671fc..3513688 100644
--- a/src/osmo-hnbgw/nft_kpi.c
+++ b/src/osmo-hnbgw/nft_kpi.c
@@ -324,6 +324,23 @@
 	LOGP(DNFT, LOGL_DEBUG, "thread %s: successfully allocated nft ctx\n", g_nft_thread->label);
 }
 
+static void _nft_add_chain(struct osmo_strbuf *sb,
+			   const char *chain_name,
+			   const char *hook)
+{
+	/* add a chain */
+	OSMO_STRBUF_PRINTF(*sb,
+			   "add chain inet %s %s {"
+			   " type filter hook %s priority 0; policy accept;"
+			   "};\n",
+			   g_nft_thread->table_name, chain_name, hook);
+	/* accept (ignore) all traffic other than GTP-U (udp/2152) */
+	OSMO_STRBUF_PRINTF(*sb, "add rule inet %s %s ip protocol != udp accept;\n",
+			   g_nft_thread->table_name, chain_name);
+	OSMO_STRBUF_PRINTF(*sb, "add rule inet %s %s udp dport != 2152 accept;\n",
+			   g_nft_thread->table_name, chain_name);
+}
+
 /* worker thread */
 static int do_init_table(void)
 {
@@ -332,20 +349,8 @@
 
 	/* add global nftables structures */
 	OSMO_STRBUF_PRINTF(sb, "add table inet %s { flags owner; };\n", g_nft_thread->table_name);
-	OSMO_STRBUF_PRINTF(sb,
-			   "add chain inet %s gtpu-ul {"
-			   " type filter hook prerouting priority 0; policy accept;"
-			   " ip protocol != udp accept;"
-			   " udp dport != 2152 accept;"
-			   "};\n",
-			   g_nft_thread->table_name);
-	OSMO_STRBUF_PRINTF(sb,
-			   "add chain inet %s gtpu-dl {"
-			   " type filter hook postrouting priority 0; policy accept;"
-			   " ip protocol != udp accept;"
-			   " udp dport != 2152 accept;"
-			   "};\n",
-			   g_nft_thread->table_name);
+	_nft_add_chain(&sb, "gtpu-ul", "prerouting");
+	_nft_add_chain(&sb, "gtpu-dl", "postrouting");
 	OSMO_ASSERT(sb.chars_needed < sizeof(cmd));
 
 	return nft_run_now(cmd, NULL, NULL);

To view, visit change 41752. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: osmo-hnbgw
Gerrit-Branch: master
Gerrit-Change-Id: I36eb3b18751fc029297fb91545af2d28e61067fd
Gerrit-Change-Number: 41752
Gerrit-PatchSet: 5
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: neels <nhofmeyr@sysmocom.de>
Gerrit-Reviewer: osmith <osmith@sysmocom.de>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>
Gerrit-CC: laforge <laforge@osmocom.org>