8 Dec
2022
8 Dec
'22
1:26 a.m.
neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-upf/+/30497
)
Change subject: nft: make sure to use only IP addrs, not port numbers
......................................................................
nft: make sure to use only IP addrs, not port numbers
There should be no port set in the sockaddrs. If there is a nonzero port
by accident, it would mess up the nftables rule: to-string conversion
should yield only an IP address. So ensure all port numbers are zero.
In upf_nft_args, use osmo_sockaddr members instead of pointers, so that
the input args can be modified (to set ports to zero).
Change-Id: If49f1e82e8cb92b7225e85a7c3b059e0f7f92fa3
---
M src/osmo-upf/upf_nft.c
1 file changed, 15 insertions(+), 9 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/97/30497/1
diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c
index c34cbfb..e9c69c4 100644
--- a/src/osmo-upf/upf_nft.c
+++ b/src/osmo-upf/upf_nft.c
@@ -100,11 +100,11 @@
struct upf_nft_args_peer {
/* The source IP address in packets received from this peer */
- const struct osmo_sockaddr *addr_remote;
+ struct osmo_sockaddr addr_remote;
/* The TEID that we send to the peer in GTP packets. */
uint32_t teid_remote;
/* The local destination IP address in packets received from this peer */
- const struct osmo_sockaddr *addr_local;
+ struct osmo_sockaddr addr_local;
/* The TEID that the peer sends to us in GTP packets. */
uint32_t teid_local;
};
@@ -133,18 +133,18 @@
/* Match on packets coming in at specific local IP */
OSMO_STRBUF_PRINTF(sb, " ip daddr ");
- OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, from_peer->addr_local);
+ OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &from_peer->addr_local);
/* Match on the TEID in the header */
OSMO_STRBUF_PRINTF(sb, " @ih,32,32 0x%08x", from_peer->teid_local);
/* Change outgoing address to local IP on outgoing interface */
OSMO_STRBUF_PRINTF(sb, " ip saddr set ");
- OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_local);
+ OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &to_peer->addr_local);
/* Change destination address to to_peer */
OSMO_STRBUF_PRINTF(sb, " ip daddr set ");
- OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_remote);
+ OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &to_peer->addr_remote);
/* Change the TEID in the header to the one to_peer expects */
OSMO_STRBUF_PRINTF(sb, " @ih,32,32 set 0x%08x", to_peer->teid_remote);
@@ -196,18 +196,24 @@
.chain_id = tunmap->id,
.priority = g_upf->nft.priority,
.peer_a = {
- .addr_remote = &tunmap->access.gtp_remote_addr,
+ .addr_remote = tunmap->access.gtp_remote_addr,
.teid_remote = tunmap->access.remote_teid,
- .addr_local = &tunmap->access.gtp_local_addr,
+ .addr_local = tunmap->access.gtp_local_addr,
.teid_local = tunmap->access.local_teid,
},
.peer_b = {
- .addr_remote = &tunmap->core.gtp_remote_addr,
+ .addr_remote = tunmap->core.gtp_remote_addr,
.teid_remote = tunmap->core.remote_teid,
- .addr_local = &tunmap->core.gtp_local_addr,
+ .addr_local = tunmap->core.gtp_local_addr,
.teid_local = tunmap->core.local_teid,
},
};
+ /* There should be no port set in the sockaddrs. If there is a nonzero port by accident,
it would mess up the
+ * nftables rule: to-string conversion should yield only an IP address. So ensure all
port numbers are zero. */
+ osmo_sockaddr_set_port(&args->peer_a.addr_remote.u.sa, 0);
+ osmo_sockaddr_set_port(&args->peer_a.addr_local.u.sa, 0);
+ osmo_sockaddr_set_port(&args->peer_b.addr_remote.u.sa, 0);
+ osmo_sockaddr_set_port(&args->peer_b.addr_local.u.sa, 0);
}
int upf_nft_tunmap_create(struct upf_nft_tunmap_desc *tunmap)
--
To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/30497
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-upf
Gerrit-Branch: master
Gerrit-Change-Id: If49f1e82e8cb92b7225e85a7c3b059e0f7f92fa3
Gerrit-Change-Number: 30497
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr(a)sysmocom.de>
Gerrit-MessageType: newchange