[M] Change in osmo-upf[master]: tunmap: always set GTP-U source port to 2152 when forwarding

9 May 2024

laforge has submitted this change. (
https://gerrit.osmocom.org/c/osmo-upf/+/36753?usp=email )

Change subject: tunmap: always set GTP-U source port to 2152 when forwarding
......................................................................

tunmap: always set GTP-U source port to 2152 when forwarding

We see GTP-U originating from ports other than 2152 in the field. When
osmo-upf forwards these, we want to forward from our GTP-U port 2152,
since that is the only port osmo-upf has bound for GTP-U (for echo).

According to 3GPP TS 29.060, the *destination* port for GTP-U shall be
2152 -- but the source port is apparently allowed to be different.

Before this patch, we would forward GTP-U like this:

  3.3.3.3:33333 -> (3.3.3.4:2152  UPF  2.2.2.2:33333) -> 1.1.1.1:2152
                                               ^^^^^

Instead we want to always send from UDP source port 2152:

  3.3.3.3:33333 -> (3.3.3.4:2152  UPF  2.2.2.2:2152) -> 1.1.1.1:2152
                                               ^^^^

This hasn't shown up before because so far all GTP-U peers we saw
consistently used source port 2152.

Related: SYS#6773
Change-Id: Idaf43f1c2b915846b50a8b97305f0229e34ad539
---
M src/osmo-upf/upf_nft.c
M tests/nft-rule.vty
M tests/unique_ids/unique_ids_test.err
3 files changed, 46 insertions(+), 15 deletions(-)

Approvals:
  neels: Looks good to me, but someone else must approve
  laforge: Looks good to me, approved
  Jenkins Builder: Verified

diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c
index 4401f1e..c14dbf7 100644
--- a/src/osmo-upf/upf_nft.c
+++ b/src/osmo-upf/upf_nft.c
@@ -177,7 +177,7 @@
 	 * # add chain for verdict map in postrouting
 	 * add chain inet osmo-upf tunmap-post-123
 	 * # mangle source address and GTP TID at postrouting
-	 * add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.1 @ih,32,32 set 0x00000102
counter accept
+	 * add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.1 udp sport set 2152
@ih,32,32 set 0x00000102 counter accept
 	 *
 	 * # add elements to verdict map, jump to chain
 	 * add element inet osmo-upf tunmap-pre { 2.2.2.3 . 0x00000203 : jump tunmap-pre-123 }
@@ -200,6 +200,7 @@
 			   args->table_name, from_peer->chain_id);
 	OSMO_STRBUF_PRINTF(sb, " ip saddr set ");
 	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_local);
+	OSMO_STRBUF_PRINTF(sb, " udp sport set 2152");
 	OSMO_STRBUF_PRINTF(sb, " @ih,32,32 set 0x%x", to_peer->teid_remote);
 	OSMO_STRBUF_PRINTF(sb, " counter accept;\n");
 
diff --git a/tests/nft-rule.vty b/tests/nft-rule.vty
index 0fe3648..8f7b98a 100644
--- a/tests/nft-rule.vty
+++ b/tests/nft-rule.vty
@@ -18,13 +18,13 @@
 add chain inet osmo-upf tunmap-pre-123;
 add rule inet osmo-upf tunmap-pre-123 ip daddr set 3.3.3.3 meta mark set 123 counter
accept;
 add chain inet osmo-upf tunmap-post-123;
-add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.3 @ih,32,32 set 0x302 counter
accept;
+add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.3 udp sport set 2152 @ih,32,32
set 0x302 counter accept;
 add element inet osmo-upf tunmap-pre { 2.2.2.1 . 0x201 : jump tunmap-pre-123 };
 add element inet osmo-upf tunmap-post { 123 : jump tunmap-post-123 };
 add chain inet osmo-upf tunmap-pre-321;
 add rule inet osmo-upf tunmap-pre-321 ip daddr set 1.1.1.1 meta mark set 321 counter
accept;
 add chain inet osmo-upf tunmap-post-321;
-add rule inet osmo-upf tunmap-post-321 ip saddr set 2.2.2.1 @ih,32,32 set 0x102 counter
accept;
+add rule inet osmo-upf tunmap-post-321 ip saddr set 2.2.2.1 udp sport set 2152 @ih,32,32
set 0x102 counter accept;
 add element inet osmo-upf tunmap-pre { 2.2.2.3 . 0x203 : jump tunmap-pre-321 };
 add element inet osmo-upf tunmap-post { 321 : jump tunmap-post-321 };
 
diff --git a/tests/unique_ids/unique_ids_test.err b/tests/unique_ids/unique_ids_test.err
index d0565c8..246ea5a 100644
--- a/tests/unique_ids/unique_ids_test.err
+++ b/tests/unique_ids/unique_ids_test.err
@@ -63,17 +63,17 @@
 add chain inet osmo-upf tunmap-pre-1;
 add rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter
accept;
 add chain inet osmo-upf tunmap-post-1;
-add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 @ih,32,32 set 0x101 counter
accept;
+add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x101 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };
 add element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };
 add chain inet osmo-upf tunmap-pre-2;
 add rule inet osmo-upf tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 counter accept;
 add chain inet osmo-upf tunmap-post-2;
-add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 @ih,32,32 set 0x100 counter
accept;
+add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x100 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
 add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };
 
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule inet
osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;\nadd chain
inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1
@ih,32,32 set 0x101 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2
: jump tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1
};\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2 ip daddr
set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf tunmap-post-2;\nadd
rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 @ih,32,32 set 0x100 counter
accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd
element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule inet
osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;\nadd chain
inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1
udp sport set 2152 @ih,32,32 set 0x101 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post {
1 : jump tunmap-post-1 };\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf
tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set
2152 @ih,32,32 set 0x100 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 .
0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2
};\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1
TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1
TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1: Enabled tunmap, nft
chain IDs: access--1-> <-2--core
 
 [test override] PFCP tx:
@@ -128,17 +128,17 @@
 add chain inet osmo-upf tunmap-pre-3;
 add rule inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter
accept;
 add chain inet osmo-upf tunmap-post-3;
-add rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 @ih,32,32 set 0x103 counter
accept;
+add rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x103 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 : jump tunmap-pre-3 };
 add element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3 };
 add chain inet osmo-upf tunmap-pre-4;
 add rule inet osmo-upf tunmap-pre-4 ip daddr set 5.6.7.8 meta mark set 4 counter accept;
 add chain inet osmo-upf tunmap-post-4;
-add rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 @ih,32,32 set 0x102 counter
accept;
+add rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x102 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };
 add element inet osmo-upf tunmap-post { 4 : jump tunmap-post-4 };
 
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-3;\nadd rule inet
osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter accept;\nadd chain
inet osmo-upf tunmap-post-3;\nadd rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1
@ih,32,32 set 0x103 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4
: jump tunmap-pre-3 };\nadd element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3
};\nadd chain inet osmo-upf tunmap-pre-4;\nadd rule inet osmo-upf tunmap-pre-4 ip daddr
set 5.6.7.8 meta mark set 4 counter accept;\nadd chain inet osmo-upf tunmap-post-4;\nadd
rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 @ih,32,32 set 0x102 counter
accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };\nadd
element inet osmo-upf tunmap-post { 4 : jump tunmap-post-4 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-3;\nadd rule inet
osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter accept;\nadd chain
inet osmo-upf tunmap-post-3;\nadd rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1
udp sport set 2152 @ih,32,32 set 0x103 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x4 : jump tunmap-pre-3 };\nadd element inet osmo-upf tunmap-post {
3 : jump tunmap-post-3 };\nadd chain inet osmo-upf tunmap-pre-4;\nadd rule inet osmo-upf
tunmap-pre-4 ip daddr set 5.6.7.8 meta mark set 4 counter accept;\nadd chain inet osmo-upf
tunmap-post-4;\nadd rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 udp sport set
2152 @ih,32,32 set 0x102 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 .
0x3 : jump tunmap-pre-4 };\nadd element inet osmo-upf tunmap-post { 4 : jump tunmap-post-4
};\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1
TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1
TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1: Enabled tunmap, nft
chain IDs: access--3-> <-4--core
 
 [test override] PFCP tx:
@@ -236,17 +236,17 @@
 add chain inet osmo-upf tunmap-pre-1;
 add rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter
accept;
 add chain inet osmo-upf tunmap-post-1;
-add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 @ih,32,32 set 0x105 counter
accept;
+add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x105 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };
 add element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };
 add chain inet osmo-upf tunmap-pre-2;
 add rule inet osmo-upf tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 counter accept;
 add chain inet osmo-upf tunmap-post-2;
-add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 @ih,32,32 set 0x104 counter
accept;
+add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x104 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
 add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };
 
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule inet
osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;\nadd chain
inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1
@ih,32,32 set 0x105 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2
: jump tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1
};\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2 ip daddr
set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf tunmap-post-2;\nadd
rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 @ih,32,32 set 0x104 counter
accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd
element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule inet
osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;\nadd chain
inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1
udp sport set 2152 @ih,32,32 set 0x105 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post {
1 : jump tunmap-post-1 };\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf
tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set
2152 @ih,32,32 set 0x104 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 .
0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2
};\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1
TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1
TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1: Enabled tunmap, nft
chain IDs: access--1-> <-2--core
 
 [test override] PFCP tx:
@@ -301,17 +301,17 @@
 add chain inet osmo-upf tunmap-pre-5;
 add rule inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter
accept;
 add chain inet osmo-upf tunmap-post-5;
-add rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 @ih,32,32 set 0x107 counter
accept;
+add rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x107 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 : jump tunmap-pre-5 };
 add element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5 };
 add chain inet osmo-upf tunmap-pre-6;
 add rule inet osmo-upf tunmap-pre-6 ip daddr set 5.6.7.8 meta mark set 6 counter accept;
 add chain inet osmo-upf tunmap-post-6;
-add rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 @ih,32,32 set 0x106 counter
accept;
+add rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32
set 0x106 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };
 add element inet osmo-upf tunmap-post { 6 : jump tunmap-post-6 };
 
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-5;\nadd rule inet
osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter accept;\nadd chain
inet osmo-upf tunmap-post-5;\nadd rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1
@ih,32,32 set 0x107 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6
: jump tunmap-pre-5 };\nadd element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5
};\nadd chain inet osmo-upf tunmap-pre-6;\nadd rule inet osmo-upf tunmap-pre-6 ip daddr
set 5.6.7.8 meta mark set 6 counter accept;\nadd chain inet osmo-upf tunmap-post-6;\nadd
rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 @ih,32,32 set 0x106 counter
accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };\nadd
element inet osmo-upf tunmap-post { 6 : jump tunmap-post-6 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-5;\nadd rule inet
osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter accept;\nadd chain
inet osmo-upf tunmap-post-5;\nadd rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1
udp sport set 2152 @ih,32,32 set 0x107 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x6 : jump tunmap-pre-5 };\nadd element inet osmo-upf tunmap-post {
5 : jump tunmap-post-5 };\nadd chain inet osmo-upf tunmap-pre-6;\nadd rule inet osmo-upf
tunmap-pre-6 ip daddr set 5.6.7.8 meta mark set 6 counter accept;\nadd chain inet osmo-upf
tunmap-post-6;\nadd rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 udp sport set
2152 @ih,32,32 set 0x106 counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 .
0x5 : jump tunmap-pre-6 };\nadd element inet osmo-upf tunmap-post { 6 : jump tunmap-post-6
};\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1
TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1
TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1: Enabled tunmap, nft
chain IDs: access--5-> <-6--core
 
 [test override] PFCP tx:

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/36753?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-upf
Gerrit-Branch: master
Gerrit-Change-Id: Idaf43f1c2b915846b50a8b97305f0229e34ad539
Gerrit-Change-Number: 36753
Gerrit-PatchSet: 3
Gerrit-Owner: neels &lt;nhofmeyr(a)sysmocom.de&gt;
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge &lt;laforge(a)osmocom.org&gt;
Gerrit-Reviewer: neels &lt;nhofmeyr(a)sysmocom.de&gt;
Gerrit-Reviewer: pespin &lt;pespin(a)sysmocom.de&gt;
Gerrit-MessageType: merged



    

2025

2024

2023

2022

[M] Change in osmo-upf[master]: tunmap: always set GTP-U source port to 2152 when forwarding