Attention is currently required from: pespin.

neels uploaded patch set #4 to this change.

View Change

tunmap: refactor nft ruleset: fix "martians" and "1024"

Take care of two problems:
- limitation of <= 1024 base chains in nftables, so far meaning we can
  establish at most 1024 GTP tunnel mappings.
- mangling of source IP in prerouting so far meaning that the system
  needs to be configured to permit 'martian' packets

The new ruleset separates in pre- and post-routing, so that we set a new
destination IP address in pre-routing, and set a new source IP address
in post-routing. Hence no problem with martian packet rejection.

The new ruleset uses verdict maps, which are more efficient, and do not
hit a limit of 1024 as base chains do.

Related: SYS#6327 SYS#6264
Change-Id: Iccb975a1c0f8a2087f7b7dc4942a6b41f5675a13
---
M include/osmocom/upf/upf.h
M include/osmocom/upf/upf_nft.h
M src/osmo-upf/up_gtp_action.c
M src/osmo-upf/upf.c
M src/osmo-upf/upf_nft.c
M src/osmo-upf/upf_vty.c
M tests/nft-rule.vty
7 files changed, 245 insertions(+), 82 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/65/31165/4

To view, visit change 31165. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-upf
Gerrit-Branch: master
Gerrit-Change-Id: Iccb975a1c0f8a2087f7b7dc4942a6b41f5675a13
Gerrit-Change-Number: 31165
Gerrit-PatchSet: 4
Gerrit-Owner: neels <nhofmeyr@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-CC: pespin <pespin@sysmocom.de>
Gerrit-Attention: pespin <pespin@sysmocom.de>
Gerrit-MessageType: newpatchset