neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-upf/+/30497 )
Change subject: nft: make sure to use only IP addrs, not port numbers ......................................................................
nft: make sure to use only IP addrs, not port numbers
There should be no port set in the sockaddrs. If there is a nonzero port by accident, it would mess up the nftables rule: to-string conversion should yield only an IP address. So ensure all port numbers are zero.
In upf_nft_args, use osmo_sockaddr members instead of pointers, so that the input args can be modified (to set ports to zero).
Change-Id: If49f1e82e8cb92b7225e85a7c3b059e0f7f92fa3 --- M src/osmo-upf/upf_nft.c 1 file changed, 15 insertions(+), 9 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/97/30497/1
diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c index c34cbfb..e9c69c4 100644 --- a/src/osmo-upf/upf_nft.c +++ b/src/osmo-upf/upf_nft.c @@ -100,11 +100,11 @@
struct upf_nft_args_peer { /* The source IP address in packets received from this peer */ - const struct osmo_sockaddr *addr_remote; + struct osmo_sockaddr addr_remote; /* The TEID that we send to the peer in GTP packets. */ uint32_t teid_remote; /* The local destination IP address in packets received from this peer */ - const struct osmo_sockaddr *addr_local; + struct osmo_sockaddr addr_local; /* The TEID that the peer sends to us in GTP packets. */ uint32_t teid_local; }; @@ -133,18 +133,18 @@
/* Match on packets coming in at specific local IP */ OSMO_STRBUF_PRINTF(sb, " ip daddr "); - OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, from_peer->addr_local); + OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &from_peer->addr_local);
/* Match on the TEID in the header */ OSMO_STRBUF_PRINTF(sb, " @ih,32,32 0x%08x", from_peer->teid_local);
/* Change outgoing address to local IP on outgoing interface */ OSMO_STRBUF_PRINTF(sb, " ip saddr set "); - OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_local); + OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &to_peer->addr_local);
/* Change destination address to to_peer */ OSMO_STRBUF_PRINTF(sb, " ip daddr set "); - OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_remote); + OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &to_peer->addr_remote);
/* Change the TEID in the header to the one to_peer expects */ OSMO_STRBUF_PRINTF(sb, " @ih,32,32 set 0x%08x", to_peer->teid_remote); @@ -196,18 +196,24 @@ .chain_id = tunmap->id, .priority = g_upf->nft.priority, .peer_a = { - .addr_remote = &tunmap->access.gtp_remote_addr, + .addr_remote = tunmap->access.gtp_remote_addr, .teid_remote = tunmap->access.remote_teid, - .addr_local = &tunmap->access.gtp_local_addr, + .addr_local = tunmap->access.gtp_local_addr, .teid_local = tunmap->access.local_teid, }, .peer_b = { - .addr_remote = &tunmap->core.gtp_remote_addr, + .addr_remote = tunmap->core.gtp_remote_addr, .teid_remote = tunmap->core.remote_teid, - .addr_local = &tunmap->core.gtp_local_addr, + .addr_local = tunmap->core.gtp_local_addr, .teid_local = tunmap->core.local_teid, }, }; + /* There should be no port set in the sockaddrs. If there is a nonzero port by accident, it would mess up the + * nftables rule: to-string conversion should yield only an IP address. So ensure all port numbers are zero. */ + osmo_sockaddr_set_port(&args->peer_a.addr_remote.u.sa, 0); + osmo_sockaddr_set_port(&args->peer_a.addr_local.u.sa, 0); + osmo_sockaddr_set_port(&args->peer_b.addr_remote.u.sa, 0); + osmo_sockaddr_set_port(&args->peer_b.addr_local.u.sa, 0); }
int upf_nft_tunmap_create(struct upf_nft_tunmap_desc *tunmap)