neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-upf/+/30499 )

Change subject: vty: add: show nft-rule tunmap example ......................................................................

vty: add: show nft-rule tunmap example

Add VTY command to print out an nftables ruleset that osmo-upf produces, with arbitrary IP addrs / TEIDs inserted. This allows tracking in *.vty tests how the nftables rulesets are changed by patches.

future: - Adding the 'tunmap' keyword to allow adding show commands for different uses of nftables. - Adding the 'example' keyword to allow adding show commands for actual tunmap IDs / PFCP session IDs / ... - Matches upcoming vty commands 'nft-rule tunmap append .NFT_RULE' 'no nft-rule tunmap append' 'show nft-rule tunmap append'

Add new separate nft-rule.vty -- more to come here in upcoming patch.

Change-Id: I9b57aa492c051e480c9bd819ae58f8f59a13af40 --- M src/osmo-upf/upf_nft.c M src/osmo-upf/upf_vty.c A tests/nft-rule.vty M tests/upf.vty 4 files changed, 65 insertions(+), 3 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/99/30499/1

diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c index afc2fac..a0f005d 100644 --- a/src/osmo-upf/upf_nft.c +++ b/src/osmo-upf/upf_nft.c @@ -64,6 +64,12 @@ int upf_nft_init() { int rc; + + /* Always set up the default settings, also in mockup mode, so that the VTY reflects sane values */ + if (!g_upf->nft.table_name) + g_upf->nft.table_name = talloc_strdup(g_upf, "osmo-upf"); + + /* When in mockup mode, do not set up nft_ctx and netfilter table */ if (g_upf->nft.mockup) { LOGP(DNFT, LOGL_NOTICE, "tunmap/mockup active: not allocating libnftables nft_ctx. FOR TESTING PURPOSES ONLY.\n"); @@ -76,9 +82,6 @@ return -EIO; }

- if (!g_upf->nft.table_name) - g_upf->nft.table_name = talloc_strdup(g_upf, "osmo-upf"); - rc = upf_nft_run(upf_nft_ruleset_table_create(OTC_SELECT, g_upf->nft.table_name)); if (rc) { LOGP(DNFT, LOGL_ERROR, "Failed to create nft table %s\n", diff --git a/src/osmo-upf/upf_vty.c b/src/osmo-upf/upf_vty.c index aff7590..6d74b21 100644 --- a/src/osmo-upf/upf_vty.c +++ b/src/osmo-upf/upf_vty.c @@ -254,6 +254,43 @@ return CMD_SUCCESS; }

+#define NFT_RULE_STR "nftables rule specifics\n" +#define TUNMAP_STR "GTP tunmap use case (a.k.a. forwarding between two GTP tunnels)\n" + +DEFUN(show_nft_rule_tunmap_example, show_nft_rule_tunmap_example_cmd, + "show nft-rule tunmap example", + SHOW_STR NFT_RULE_STR TUNMAP_STR + "Print a complete nftables ruleset for a tunmap filled with example IP addresses and TEIDs\n") +{ + struct osmo_sockaddr_str str = {}; + struct upf_nft_tunmap_desc d = { + .access = { + .local_teid = 0x201, + .remote_teid = 0x102, + }, + .core = { + .local_teid = 0x203, + .remote_teid = 0x302, + }, + .id = 123, + }; + + osmo_sockaddr_str_from_str2(&str, "1.1.1.1"); + osmo_sockaddr_str_to_sockaddr(&str, &d.access.gtp_remote_addr.u.sas); + + osmo_sockaddr_str_from_str2(&str, "2.2.2.1"); + osmo_sockaddr_str_to_sockaddr(&str, &d.access.gtp_local_addr.u.sas); + + osmo_sockaddr_str_from_str2(&str, "2.2.2.3"); + osmo_sockaddr_str_to_sockaddr(&str, &d.core.gtp_local_addr.u.sas); + + osmo_sockaddr_str_from_str2(&str, "3.3.3.3"); + osmo_sockaddr_str_to_sockaddr(&str, &d.core.gtp_remote_addr.u.sas); + + vty_out(vty, "%s%s", upf_nft_tunmap_get_ruleset_str(OTC_SELECT, &d), VTY_NEWLINE); + return CMD_SUCCESS; +} + static struct cmd_node cfg_netinst_node = { NETINST_NODE, "%s(config-netinst)# ", @@ -435,6 +472,7 @@ install_element(TUNMAP_NODE, &cfg_tunmap_mockup_cmd); install_element(TUNMAP_NODE, &cfg_tunmap_no_mockup_cmd); install_element(TUNMAP_NODE, &cfg_tunmap_table_name_cmd); + install_element(TUNMAP_NODE, &show_nft_rule_tunmap_example_cmd);

install_node(&cfg_netinst_node, config_write_netinst); install_element(CONFIG_NODE, &cfg_netinst_cmd); diff --git a/tests/nft-rule.vty b/tests/nft-rule.vty new file mode 100644 index 0000000..f328871 --- /dev/null +++ b/tests/nft-rule.vty @@ -0,0 +1,8 @@ +OsmoUPF> enable +OsmoUPF# configure terminal +OsmoUPF(config)# tunmap + +OsmoUPF(config-tunmap)# show nft-rule tunmap example +add chain inet osmo-upf tunmap123 { type filter hook prerouting priority -300; } +add rule inet osmo-upf tunmap123 meta l4proto udp ip daddr 2.2.2.1 @ih,32,32 0x00000201 ip saddr set 2.2.2.3 ip daddr set 3.3.3.3 @ih,32,32 set 0x00000302 counter; +add rule inet osmo-upf tunmap123 meta l4proto udp ip daddr 2.2.2.3 @ih,32,32 0x00000203 ip saddr set 2.2.2.1 ip daddr set 1.1.1.1 @ih,32,32 set 0x00000102 counter; diff --git a/tests/upf.vty b/tests/upf.vty index 5100b17..8931719 100644 --- a/tests/upf.vty +++ b/tests/upf.vty @@ -52,6 +52,7 @@ mockup no mockup table-name TABLE_NAME + show nft-rule tunmap example OsmoUPF(config-tunmap)# exit

OsmoUPF(config)# tunmap @@ -60,6 +61,7 @@ mockup no mockup table-name TABLE_NAME + show nft-rule tunmap example

OsmoUPF(config-tunmap)# mockup? mockup don't actually send rulesets to nftables, just return success @@ -70,3 +72,14 @@ table-name Set the nft inet table name to create and place GTP tunnel forwarding chains in (as in 'nft add table inet foo'). If multiple instances of osmo-upf are running on the same system, each osmo-upf must have its own table name. Otherwise the names of created forwarding chains will collide. The default table name is "osmo-upf". OsmoUPF(config-tunmap)# table-name ? TABLE_NAME nft inet table name + +OsmoUPF(config-tunmap)# show? + show Show running system information +OsmoUPF(config-tunmap)# show ? +... + nft-rule nftables rule specifics +... +OsmoUPF(config-tunmap)# show nft-rule ? + tunmap GTP tunmap use case (a.k.a. forwarding between two GTP tunnels) +OsmoUPF(config-tunmap)# show nft-rule tunmap ? + example Print a complete nftables ruleset for a tunmap filled with example IP addresses and TEIDs