[M] Change in osmo-upf[master]: tunmap: always set GTP-U source port to 2152 when forwarding

Thu, 09 May 2024 01:28:56 -0700 

laforge has submitted this change. ( 
https://gerrit.osmocom.org/c/osmo-upf/+/36753?usp=email )

Change subject: tunmap: always set GTP-U source port to 2152 when forwarding
......................................................................

tunmap: always set GTP-U source port to 2152 when forwarding

We see GTP-U originating from ports other than 2152 in the field. When
osmo-upf forwards these, we want to forward from our GTP-U port 2152,
since that is the only port osmo-upf has bound for GTP-U (for echo).

According to 3GPP TS 29.060, the *destination* port for GTP-U shall be
2152 -- but the source port is apparently allowed to be different.

Before this patch, we would forward GTP-U like this:

  3.3.3.3:33333 -> (3.3.3.4:2152  UPF  2.2.2.2:33333) -> 1.1.1.1:2152
                                               ^^^^^

Instead we want to always send from UDP source port 2152:

  3.3.3.3:33333 -> (3.3.3.4:2152  UPF  2.2.2.2:2152) -> 1.1.1.1:2152
                                               ^^^^

This hasn't shown up before because so far all GTP-U peers we saw
consistently used source port 2152.

Related: SYS#6773
Change-Id: Idaf43f1c2b915846b50a8b97305f0229e34ad539
---
M src/osmo-upf/upf_nft.c
M tests/nft-rule.vty
M tests/unique_ids/unique_ids_test.err
3 files changed, 46 insertions(+), 15 deletions(-)

Approvals:
  neels: Looks good to me, but someone else must approve
  laforge: Looks good to me, approved
  Jenkins Builder: Verified




diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c
index 4401f1e..c14dbf7 100644
--- a/src/osmo-upf/upf_nft.c
+++ b/src/osmo-upf/upf_nft.c
@@ -177,7 +177,7 @@
         * # add chain for verdict map in postrouting
         * add chain inet osmo-upf tunmap-post-123
         * # mangle source address and GTP TID at postrouting
-        * add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.1 
@ih,32,32 set 0x00000102 counter accept
+        * add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.1 udp 
sport set 2152 @ih,32,32 set 0x00000102 counter accept
         *
         * # add elements to verdict map, jump to chain
         * add element inet osmo-upf tunmap-pre { 2.2.2.3 . 0x00000203 : jump 
tunmap-pre-123 }
@@ -200,6 +200,7 @@
                           args->table_name, from_peer->chain_id);
        OSMO_STRBUF_PRINTF(sb, " ip saddr set ");
        OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_local);
+       OSMO_STRBUF_PRINTF(sb, " udp sport set 2152");
        OSMO_STRBUF_PRINTF(sb, " @ih,32,32 set 0x%x", to_peer->teid_remote);
        OSMO_STRBUF_PRINTF(sb, " counter accept;\n");

diff --git a/tests/nft-rule.vty b/tests/nft-rule.vty
index 0fe3648..8f7b98a 100644
--- a/tests/nft-rule.vty
+++ b/tests/nft-rule.vty
@@ -18,13 +18,13 @@
 add chain inet osmo-upf tunmap-pre-123;
 add rule inet osmo-upf tunmap-pre-123 ip daddr set 3.3.3.3 meta mark set 123 
counter accept;
 add chain inet osmo-upf tunmap-post-123;
-add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.3 @ih,32,32 set 
0x302 counter accept;
+add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.3 udp sport set 2152 
@ih,32,32 set 0x302 counter accept;
 add element inet osmo-upf tunmap-pre { 2.2.2.1 . 0x201 : jump tunmap-pre-123 };
 add element inet osmo-upf tunmap-post { 123 : jump tunmap-post-123 };
 add chain inet osmo-upf tunmap-pre-321;
 add rule inet osmo-upf tunmap-pre-321 ip daddr set 1.1.1.1 meta mark set 321 
counter accept;
 add chain inet osmo-upf tunmap-post-321;
-add rule inet osmo-upf tunmap-post-321 ip saddr set 2.2.2.1 @ih,32,32 set 
0x102 counter accept;
+add rule inet osmo-upf tunmap-post-321 ip saddr set 2.2.2.1 udp sport set 2152 
@ih,32,32 set 0x102 counter accept;
 add element inet osmo-upf tunmap-pre { 2.2.2.3 . 0x203 : jump tunmap-pre-321 };
 add element inet osmo-upf tunmap-post { 321 : jump tunmap-post-321 };

diff --git a/tests/unique_ids/unique_ids_test.err 
b/tests/unique_ids/unique_ids_test.err
index d0565c8..246ea5a 100644
--- a/tests/unique_ids/unique_ids_test.err
+++ b/tests/unique_ids/unique_ids_test.err
@@ -63,17 +63,17 @@
 add chain inet osmo-upf tunmap-pre-1;
 add rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 
counter accept;
 add chain inet osmo-upf tunmap-post-1;
-add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 @ih,32,32 set 0x101 
counter accept;
+add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x101 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };
 add element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };
 add chain inet osmo-upf tunmap-pre-2;
 add rule inet osmo-upf tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 
counter accept;
 add chain inet osmo-upf tunmap-post-2;
-add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 @ih,32,32 set 0x100 
counter accept;
+add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x100 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
 add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };

-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule 
inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter 
accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf 
tunmap-post-1 ip saddr set 1.1.1.1 @ih,32,32 set 0x101 counter accept;\nadd 
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };\nadd 
element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };\nadd chain inet 
osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2 ip daddr set 
5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf 
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 
@ih,32,32 set 0x100 counter accept;\nadd element inet osmo-upf tunmap-pre { 
1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf tunmap-post { 2 
: jump tunmap-post-2 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule 
inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter 
accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf 
tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x101 
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump 
tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 
};\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2 
ip daddr set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf 
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp 
sport set 2152 @ih,32,32 set 0x100 counter accept;\nadd element inet osmo-upf 
tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf 
tunmap-post { 2 : jump tunmap-post-2 };\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100 
GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101 
GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 
PDR-core:1: Enabled tunmap, nft chain IDs: access--1-> <-2--core

 [test override] PFCP tx:
@@ -128,17 +128,17 @@
 add chain inet osmo-upf tunmap-pre-3;
 add rule inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 
counter accept;
 add chain inet osmo-upf tunmap-post-3;
-add rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 @ih,32,32 set 0x103 
counter accept;
+add rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x103 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 : jump tunmap-pre-3 };
 add element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3 };
 add chain inet osmo-upf tunmap-pre-4;
 add rule inet osmo-upf tunmap-pre-4 ip daddr set 5.6.7.8 meta mark set 4 
counter accept;
 add chain inet osmo-upf tunmap-post-4;
-add rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 @ih,32,32 set 0x102 
counter accept;
+add rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x102 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };
 add element inet osmo-upf tunmap-post { 4 : jump tunmap-post-4 };

-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-3;\nadd rule 
inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter 
accept;\nadd chain inet osmo-upf tunmap-post-3;\nadd rule inet osmo-upf 
tunmap-post-3 ip saddr set 1.1.1.1 @ih,32,32 set 0x103 counter accept;\nadd 
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 : jump tunmap-pre-3 };\nadd 
element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3 };\nadd chain inet 
osmo-upf tunmap-pre-4;\nadd rule inet osmo-upf tunmap-pre-4 ip daddr set 
5.6.7.8 meta mark set 4 counter accept;\nadd chain inet osmo-upf 
tunmap-post-4;\nadd rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 
@ih,32,32 set 0x102 counter accept;\nadd element inet osmo-upf tunmap-pre { 
1.1.1.1 . 0x3 : jump tunmap-pre-4 };\nadd element inet osmo-upf tunmap-post { 4 
: jump tunmap-post-4 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-3;\nadd rule 
inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter 
accept;\nadd chain inet osmo-upf tunmap-post-3;\nadd rule inet osmo-upf 
tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x103 
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 : jump 
tunmap-pre-3 };\nadd element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3 
};\nadd chain inet osmo-upf tunmap-pre-4;\nadd rule inet osmo-upf tunmap-pre-4 
ip daddr set 5.6.7.8 meta mark set 4 counter accept;\nadd chain inet osmo-upf 
tunmap-post-4;\nadd rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 udp 
sport set 2152 @ih,32,32 set 0x102 counter accept;\nadd element inet osmo-upf 
tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };\nadd element inet osmo-upf 
tunmap-post { 4 : jump tunmap-post-4 };\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 
GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 
GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 
PDR-core:1: Enabled tunmap, nft chain IDs: access--3-> <-4--core

 [test override] PFCP tx:
@@ -236,17 +236,17 @@
 add chain inet osmo-upf tunmap-pre-1;
 add rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 
counter accept;
 add chain inet osmo-upf tunmap-post-1;
-add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 @ih,32,32 set 0x105 
counter accept;
+add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x105 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };
 add element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };
 add chain inet osmo-upf tunmap-pre-2;
 add rule inet osmo-upf tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 
counter accept;
 add chain inet osmo-upf tunmap-post-2;
-add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 @ih,32,32 set 0x104 
counter accept;
+add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x104 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
 add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };

-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule 
inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter 
accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf 
tunmap-post-1 ip saddr set 1.1.1.1 @ih,32,32 set 0x105 counter accept;\nadd 
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };\nadd 
element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };\nadd chain inet 
osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2 ip daddr set 
5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf 
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 
@ih,32,32 set 0x104 counter accept;\nadd element inet osmo-upf tunmap-pre { 
1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf tunmap-post { 2 
: jump tunmap-post-2 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule 
inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter 
accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf 
tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x105 
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump 
tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 
};\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2 
ip daddr set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf 
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp 
sport set 2152 @ih,32,32 set 0x104 counter accept;\nadd element inet osmo-upf 
tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf 
tunmap-post { 2 : jump tunmap-post-2 };\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 
GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 
GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 
PDR-core:1: Enabled tunmap, nft chain IDs: access--1-> <-2--core

 [test override] PFCP tx:
@@ -301,17 +301,17 @@
 add chain inet osmo-upf tunmap-pre-5;
 add rule inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 
counter accept;
 add chain inet osmo-upf tunmap-post-5;
-add rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 @ih,32,32 set 0x107 
counter accept;
+add rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x107 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 : jump tunmap-pre-5 };
 add element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5 };
 add chain inet osmo-upf tunmap-pre-6;
 add rule inet osmo-upf tunmap-pre-6 ip daddr set 5.6.7.8 meta mark set 6 
counter accept;
 add chain inet osmo-upf tunmap-post-6;
-add rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 @ih,32,32 set 0x106 
counter accept;
+add rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 udp sport set 2152 
@ih,32,32 set 0x106 counter accept;
 add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };
 add element inet osmo-upf tunmap-post { 6 : jump tunmap-post-6 };

-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-5;\nadd rule 
inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter 
accept;\nadd chain inet osmo-upf tunmap-post-5;\nadd rule inet osmo-upf 
tunmap-post-5 ip saddr set 1.1.1.1 @ih,32,32 set 0x107 counter accept;\nadd 
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 : jump tunmap-pre-5 };\nadd 
element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5 };\nadd chain inet 
osmo-upf tunmap-pre-6;\nadd rule inet osmo-upf tunmap-pre-6 ip daddr set 
5.6.7.8 meta mark set 6 counter accept;\nadd chain inet osmo-upf 
tunmap-post-6;\nadd rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 
@ih,32,32 set 0x106 counter accept;\nadd element inet osmo-upf tunmap-pre { 
1.1.1.1 . 0x5 : jump tunmap-pre-6 };\nadd element inet osmo-upf tunmap-post { 6 
: jump tunmap-post-6 };\n"
+DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-5;\nadd rule 
inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter 
accept;\nadd chain inet osmo-upf tunmap-post-5;\nadd rule inet osmo-upf 
tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x107 
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 : jump 
tunmap-pre-5 };\nadd element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5 
};\nadd chain inet osmo-upf tunmap-pre-6;\nadd rule inet osmo-upf tunmap-pre-6 
ip daddr set 5.6.7.8 meta mark set 6 counter accept;\nadd chain inet osmo-upf 
tunmap-post-6;\nadd rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 udp 
sport set 2152 @ih,32,32 set 0x106 counter accept;\nadd element inet osmo-upf 
tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };\nadd element inet osmo-upf 
tunmap-post { 6 : jump tunmap-post-6 };\n"
 DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 
GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 
GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 
PDR-core:1: Enabled tunmap, nft chain IDs: access--5-> <-6--core

 [test override] PFCP tx:

--
To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/36753?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-upf
Gerrit-Branch: master
Gerrit-Change-Id: Idaf43f1c2b915846b50a8b97305f0229e34ad539
Gerrit-Change-Number: 36753
Gerrit-PatchSet: 3
Gerrit-Owner: neels <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: neels <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-MessageType: merged

Reply via email to