neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-upf/+/30497 ) Change subject: nft: make sure to use only IP addrs, not port numbers ...................................................................... nft: make sure to use only IP addrs, not port numbers There should be no port set in the sockaddrs. If there is a nonzero port by accident, it would mess up the nftables rule: to-string conversion should yield only an IP address. So ensure all port numbers are zero. In upf_nft_args, use osmo_sockaddr members instead of pointers, so that the input args can be modified (to set ports to zero). Change-Id: If49f1e82e8cb92b7225e85a7c3b059e0f7f92fa3 --- M src/osmo-upf/upf_nft.c 1 file changed, 15 insertions(+), 9 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-upf refs/changes/97/30497/1 diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c index c34cbfb..e9c69c4 100644 --- a/src/osmo-upf/upf_nft.c +++ b/src/osmo-upf/upf_nft.c @@ -100,11 +100,11 @@ struct upf_nft_args_peer { /* The source IP address in packets received from this peer */ - const struct osmo_sockaddr *addr_remote; + struct osmo_sockaddr addr_remote; /* The TEID that we send to the peer in GTP packets. */ uint32_t teid_remote; /* The local destination IP address in packets received from this peer */ - const struct osmo_sockaddr *addr_local; + struct osmo_sockaddr addr_local; /* The TEID that the peer sends to us in GTP packets. */ uint32_t teid_local; }; @@ -133,18 +133,18 @@ /* Match on packets coming in at specific local IP */ OSMO_STRBUF_PRINTF(sb, " ip daddr "); - OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, from_peer->addr_local); + OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &from_peer->addr_local); /* Match on the TEID in the header */ OSMO_STRBUF_PRINTF(sb, " @ih,32,32 0x%08x", from_peer->teid_local); /* Change outgoing address to local IP on outgoing interface */ OSMO_STRBUF_PRINTF(sb, " ip saddr set "); - OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_local); + OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &to_peer->addr_local); /* Change destination address to to_peer */ OSMO_STRBUF_PRINTF(sb, " ip daddr set "); - OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_remote); + OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &to_peer->addr_remote); /* Change the TEID in the header to the one to_peer expects */ OSMO_STRBUF_PRINTF(sb, " @ih,32,32 set 0x%08x", to_peer->teid_remote); @@ -196,18 +196,24 @@ .chain_id = tunmap->id, .priority = g_upf->nft.priority, .peer_a = { - .addr_remote = &tunmap->access.gtp_remote_addr, + .addr_remote = tunmap->access.gtp_remote_addr, .teid_remote = tunmap->access.remote_teid, - .addr_local = &tunmap->access.gtp_local_addr, + .addr_local = tunmap->access.gtp_local_addr, .teid_local = tunmap->access.local_teid, }, .peer_b = { - .addr_remote = &tunmap->core.gtp_remote_addr, + .addr_remote = tunmap->core.gtp_remote_addr, .teid_remote = tunmap->core.remote_teid, - .addr_local = &tunmap->core.gtp_local_addr, + .addr_local = tunmap->core.gtp_local_addr, .teid_local = tunmap->core.local_teid, }, }; + /* There should be no port set in the sockaddrs. If there is a nonzero port by accident, it would mess up the + * nftables rule: to-string conversion should yield only an IP address. So ensure all port numbers are zero. */ + osmo_sockaddr_set_port(&args->peer_a.addr_remote.u.sa, 0); + osmo_sockaddr_set_port(&args->peer_a.addr_local.u.sa, 0); + osmo_sockaddr_set_port(&args->peer_b.addr_remote.u.sa, 0); + osmo_sockaddr_set_port(&args->peer_b.addr_local.u.sa, 0); } int upf_nft_tunmap_create(struct upf_nft_tunmap_desc *tunmap) -- To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/30497 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-upf Gerrit-Branch: master Gerrit-Change-Id: If49f1e82e8cb92b7225e85a7c3b059e0f7f92fa3 Gerrit-Change-Number: 30497 Gerrit-PatchSet: 1 Gerrit-Owner: neels <nhofmeyr(a)sysmocom.de> Gerrit-MessageType: newchange