Attention is currently required from: pespin. Hello Jenkins Builder,

I'd like you to reexamine a change. Please visit

https://gerrit.osmocom.org/c/osmo-upf/+/31165

to look at the new patch set (#4).

Change subject: tunmap: refactor nft ruleset: fix "martians" and "1024" ......................................................................

tunmap: refactor nft ruleset: fix "martians" and "1024"

Take care of two problems: - limitation of <= 1024 base chains in nftables, so far meaning we can establish at most 1024 GTP tunnel mappings. - mangling of source IP in prerouting so far meaning that the system needs to be configured to permit 'martian' packets

The new ruleset separates in pre- and post-routing, so that we set a new destination IP address in pre-routing, and set a new source IP address in post-routing. Hence no problem with martian packet rejection.

The new ruleset uses verdict maps, which are more efficient, and do not hit a limit of 1024 as base chains do.

Related: SYS#6327 SYS#6264 Change-Id: Iccb975a1c0f8a2087f7b7dc4942a6b41f5675a13 --- M include/osmocom/upf/upf.h M include/osmocom/upf/upf_nft.h M src/osmo-upf/up_gtp_action.c M src/osmo-upf/upf.c M src/osmo-upf/upf_nft.c M src/osmo-upf/upf_vty.c M tests/nft-rule.vty 7 files changed, 245 insertions(+), 82 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/65/31165/4