fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/41752?usp=email )
Change subject: nft_kpi: add udp/2152 filtering rules separately ......................................................................
nft_kpi: add udp/2152 filtering rules separately
Change-Id: I36eb3b18751fc029297fb91545af2d28e61067fd Related: SYS#7808 --- M src/osmo-hnbgw/nft_kpi.c 1 file changed, 31 insertions(+), 14 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/52/41752/1
diff --git a/src/osmo-hnbgw/nft_kpi.c b/src/osmo-hnbgw/nft_kpi.c index f8671fc..5121320 100644 --- a/src/osmo-hnbgw/nft_kpi.c +++ b/src/osmo-hnbgw/nft_kpi.c @@ -325,33 +325,50 @@ }
/* worker thread */ -static int do_init_table(void) +static int do_add_chain(bool uplink) { char cmd[1024]; struct osmo_strbuf sb = { .buf = cmd, .len = sizeof(cmd) };
/* add global nftables structures */ - OSMO_STRBUF_PRINTF(sb, "add table inet %s { flags owner; };\n", g_nft_thread->table_name); OSMO_STRBUF_PRINTF(sb, - "add chain inet %s gtpu-ul {" - " type filter hook prerouting priority 0; policy accept;" - " ip protocol != udp accept;" - " udp dport != 2152 accept;" + "add chain inet %s gtpu-%s {" + " type filter hook %srouting priority 0; policy accept;" "};\n", - g_nft_thread->table_name); - OSMO_STRBUF_PRINTF(sb, - "add chain inet %s gtpu-dl {" - " type filter hook postrouting priority 0; policy accept;" - " ip protocol != udp accept;" - " udp dport != 2152 accept;" - "};\n", - g_nft_thread->table_name); + g_nft_thread->table_name, + uplink ? "ul" : "dl", + uplink ? "pre" : "post"); + OSMO_STRBUF_PRINTF(sb, "add rule inet %s gtpu-%s ip protocol != udp accept;\n", + g_nft_thread->table_name, + uplink ? "ul" : "dl"); + OSMO_STRBUF_PRINTF(sb, "add rule inet %s gtpu-%s udp dport != 2152 accept;\n", + g_nft_thread->table_name, + uplink ? "ul" : "dl"); OSMO_ASSERT(sb.chars_needed < sizeof(cmd));
return nft_run_now(cmd, NULL, NULL); }
/* worker thread */ +static int do_init_table(void) +{ + int rc; + char cmd[1024]; + struct osmo_strbuf sb = { .buf = cmd, .len = sizeof(cmd) }; + + /* add global nftables structures */ + OSMO_STRBUF_PRINTF(sb, "add table inet %s { flags owner; };\n", g_nft_thread->table_name); + OSMO_ASSERT(sb.chars_needed < sizeof(cmd)); + if ((rc = nft_run_now(cmd, NULL, NULL)) != 0) + return rc; + if ((rc = do_add_chain(true)) != 0) /* gtpu-ul */ + return rc; + if ((rc = do_add_chain(false)) != 0) /* gtpu-dl */ + return rc; + return 0; +} + +/* worker thread */ static void nft_t2m_enqueue(struct nft_thread *t, struct nft_thread_req *req) { LOGP(DNFT, LOGL_DEBUG, "main() <- %s: %s rc=%d\n", t->label, nft_thread_req_type_name[req->type], req->rc);
-
fixeria