[S] Change in osmo-upf[master]: manual: explain IP forwarding - gerrit-log

24 Jan 2024

neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-upf/+/35668?usp=email )
Change subject: manual: explain IP forwarding
......................................................................
manual: explain IP forwarding
Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde
---
M doc/manuals/chapters/running.adoc
1 file changed, 47 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/68/35668/1

diff --git a/doc/manuals/chapters/running.adoc b/doc/manuals/chapters/running.adoc
index d1a399b..ee66970 100644
--- a/doc/manuals/chapters/running.adoc
+++ b/doc/manuals/chapters/running.adoc
@@ -167,7 +167,7 @@
 The Linux kernel netfilter module is used for GTP tunnel proxying, also known as
 tunnel forwarding or tunnel mapping.
-When using the netfilter module, you may set up `osmo-upf.cfg` for:
+When using the netfilter module, you should configure:
 - GTP Echo (required)
 - netfilter table name (optional)
@@ -220,3 +220,40 @@
When running more than one osmo-upf process on a system, pick distinct table
 names to avoid name collisions in the nftables rulesets.
+
+=== IP Forwarding
+
+In order to allow the forwarding GTP payloads, the Linux operating system must
+be configured to allow IP forwarding. There are several options:
+
+To allow IP forwarding from and to all interfaces globally in a reboot-safe way,
+you may put a line like this in /etc/sysctl.conf:
+
+----
+net.ipv4.ip_forward=1
+----
+
+To do the same in an ad-hoc way that is not reboot safe but takes effect
+immediately:
+
+----
+sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
+----
+
+The above options may be too permissive for your production environment. It is
+possible to instruct netfilter to allow IP forwarding for specific interfaces
+only, with a configuration like this:
+
+----
+define gtp_netdevs = { eth0, eth23 };
+
+table inet filter {
+      chain forward {
+              type filter hook forward priority filter; policy drop;
+              iifname $gtp_netdevs oifname $gtp_netdevs udp dport 2152 accept
+      }
+}
+----
+
+This netfilter ruleset allows IP forwarding, but limited to the GTP-U port 2152,
+and to two specific network interfaces eth0 and eth23.
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/35668?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-upf
Gerrit-Branch: master
Gerrit-Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde
Gerrit-Change-Number: 35668
Gerrit-PatchSet: 1
Gerrit-Owner: neels nhofmeyr@sysmocom.de
Gerrit-MessageType: newchange



    