osmith has submitted this change. (
https://gerrit.osmocom.org/c/osmo-upf/+/37762?usp=email )
Change subject: nft: batch nftables commands
......................................................................
nft: batch nftables commands
Store nftables ruleset commands for a limited time and a limited volume
before submitting in batch, in order to minimize the overhead associated
with submitting nftables commands.
Configurable by 'timer nft X32' and 'X33'
Change-Id: Ib0a8e86b29bab1559d94fc55a89daa00ec670318
---
M include/osmocom/upf/upf.h
M src/osmo-upf/upf.c
M src/osmo-upf/upf_nft.c
M tests/unique_ids/unique_ids_test.err
4 files changed, 192 insertions(+), 31 deletions(-)
Approvals:
Jenkins Builder: Verified
pespin: Looks good to me, but someone else must approve
osmith: Looks good to me, approved
laforge: Looks good to me, but someone else must approve
diff --git a/include/osmocom/upf/upf.h b/include/osmocom/upf/upf.h
index db73c1f..145567b 100644
--- a/include/osmocom/upf/upf.h
+++ b/include/osmocom/upf/upf.h
@@ -44,6 +44,7 @@
#define PORT_GTP1_U 2152
extern struct osmo_tdef_group g_upf_tdef_groups[];
+extern struct osmo_tdef g_upf_nft_tdefs[];
struct pfcp_vty_cfg {
char *local_addr;
diff --git a/src/osmo-upf/upf.c b/src/osmo-upf/upf.c
index 3d00cc2..a4cb79b 100644
--- a/src/osmo-upf/upf.c
+++ b/src/osmo-upf/upf.c
@@ -36,8 +36,20 @@
struct g_upf *g_upf = NULL;
+struct osmo_tdef g_upf_nft_tdefs[] = {
+ { .T = -32, .default_val = 1000, .unit = OSMO_TDEF_MS,
+ .desc = "How long to wait for more nft rulesets before flushing in
batch",
+ },
+ { .T = -33, .default_val = 1, .unit = OSMO_TDEF_CUSTOM,
+ .desc = "When reaching this nr of queued nft rulesets, flush the
queue",
+ .max_val = 128,
+ },
+ {}
+};
+
struct osmo_tdef_group g_upf_tdef_groups[] = {
{ "pfcp", "PFCP endpoint timers", osmo_pfcp_tdefs, },
+ { "nft", "netfilter timers", g_upf_nft_tdefs, },
{}
};
diff --git a/src/osmo-upf/upf_nft.c b/src/osmo-upf/upf_nft.c
index c14dbf7..bc0ee36 100644
--- a/src/osmo-upf/upf_nft.c
+++ b/src/osmo-upf/upf_nft.c
@@ -26,6 +26,7 @@
#include <osmocom/core/talloc.h>
#include <osmocom/core/logging.h>
+#include <osmocom/core/timer.h>
#include <osmocom/upf/upf.h>
#include <osmocom/upf/upf_nft.h>
@@ -59,9 +60,10 @@
table_name);
}
-static int upf_nft_run(const char *ruleset)
+static int upf_nft_run_now(const char *ruleset)
{
int rc;
+ const int logmax = 256;
if (g_upf->tunmap.mockup) {
LOGP(DNFT, LOGL_NOTICE, "tunmap/mockup active: not running nft
ruleset: '%s'\n", ruleset);
@@ -81,14 +83,135 @@
return -EIO;
}
- LOGP(DNFT, LOGL_DEBUG, "run nft ruleset: %s\n",
osmo_quote_str_c(OTC_SELECT, ruleset, -1));
+ if (log_check_level(DNFT, LOGL_DEBUG)) {
+ size_t l = strlen(ruleset);
+ LOGP(DNFT, LOGL_DEBUG, "ran nft ruleset, %zu chars: \"%s%s\"\n",
+ l,
+ osmo_escape_cstr_c(OTC_SELECT, ruleset, OSMO_MIN(logmax,
l)),
+ l > logmax ? "..." : "");
+ }
+
return 0;
}
+struct nft_queue {
+ struct osmo_tdef *flush_time_tdef;
+ struct osmo_tdef *ruleset_max_tdef;
+ struct osmo_strbuf sb;
+ /* 128 NFT rulesets amount to about 110 kb of char */
+ char buf[1<<17];
+ unsigned int ruleset_count;
+ struct osmo_timer_list timer;
+};
+
+static void nft_queue_clear_buf(struct nft_queue *q)
+{
+ q->sb = (struct osmo_strbuf){ .buf = q->buf, .len = sizeof(q->buf) };
+ q->buf[0] = '\0';
+}
+
+static void nft_queue_init(void *ctx, struct nft_queue *q,
+ struct osmo_tdef *flush_time_tdef,
+ struct osmo_tdef *ruleset_max_tdef)
+{
+ *q = (struct nft_queue){
+ .flush_time_tdef = flush_time_tdef,
+ .ruleset_max_tdef = ruleset_max_tdef,
+ };
+ nft_queue_clear_buf(q);
+}
+
+static void nft_queue_flush(struct nft_queue *q, const char *reason)
+{
+ static unsigned int flush_count = 0;
+ static unsigned int ruleset_count = 0;
+
+ /* We will now flush the queue empty. A timer needs to run only when
the next pending entry is added. */
+ osmo_timer_del(&q->timer);
+
+ /* Nothing to send? */
+ if (!q->sb.chars_needed)
+ return;
+
+ flush_count++;
+ ruleset_count += q->ruleset_count;
+ LOGP(DNFT, LOGL_INFO, "Flushing NFT ruleset queue: %s: n:%u strlen:%zu
(flush count: %u avg rules per flush: %s)\n",
+ reason,
+ q->ruleset_count, q->sb.chars_needed,
+ flush_count, osmo_int_to_float_str_c(OTC_SELECT, 10 *
ruleset_count / flush_count, 1));
+
+ q->ruleset_count = 0;
+
+ upf_nft_run_now(q->sb.buf);
+
+ nft_queue_clear_buf(q);
+}
+
+static void nft_queue_flush_cb(void *q)
+{
+ nft_queue_flush(q, "timeout");
+}
+
+static int nft_enqueue(struct nft_queue *q,
+ int (*tunmap_to_str_buf)(char *buf, size_t len, struct
upf_tunmap *tunmap),
+ struct upf_tunmap *tunmap)
+{
+ int ruleset_max;
+ struct osmo_strbuf q_sb_was = q->sb;
+
+ OSMO_STRBUF_APPEND(q->sb, tunmap_to_str_buf, tunmap);
+
+ /* is that being cut off? then revert the addition. This should never
happen in practice. */
+ if (q->sb.chars_needed >= q->sb.len) {
+ q->sb = q_sb_was;
+ if (q->sb.pos)
+ *q->sb.pos = '\0';
+ nft_queue_flush(q, "reached max nr of chars");
+ OSMO_STRBUF_APPEND(q->sb, tunmap_to_str_buf, tunmap);
+ }
+
+ /* Append separator -- no problem if that gets cut off. */
+ OSMO_STRBUF_PRINTF(q->sb, "\n");
+
+ q->ruleset_count++;
+
+ LOGP(DNFT, LOGL_INFO, "Added NFT ruleset to queue: n:%u strlen:%zu\n",
+ q->ruleset_count, q->sb.chars_needed);
+
+ /* Added a rule, see if it has reached ruleset_max. */
+ ruleset_max = osmo_tdef_get(q->ruleset_max_tdef,
q->ruleset_max_tdef->T, OSMO_TDEF_CUSTOM, 128);
+ if (q->ruleset_count >= ruleset_max) {
+ nft_queue_flush(q, "reached max nr of rules");
+ return 0;
+ }
+
+ /* Item added. If the timer is not running yet, schedule a flush in
given timeout */
+ if (!osmo_timer_pending(&q->timer)) {
+ struct osmo_tdef *t;
+ unsigned long us;
+ osmo_timer_setup(&q->timer, nft_queue_flush_cb, q);
+ t = q->flush_time_tdef;
+ us = osmo_tdef_get(t, t->T, OSMO_TDEF_US, 100000);
+ osmo_timer_schedule(&q->timer, us / 1000000, us % 1000000);
+ }
+ return 0;
+}
+
+static void nft_queue_free(struct nft_queue *q)
+{
+ osmo_timer_del(&q->timer);
+}
+
+static struct nft_queue g_nft_queue = {};
+
int upf_nft_init()
{
int rc;
+ nft_queue_init(g_upf, &g_nft_queue,
+ osmo_tdef_get_entry(g_upf_nft_tdefs, -32),
+ osmo_tdef_get_entry(g_upf_nft_tdefs, -33));
+
/* Always set up the default settings, also in mockup mode, so that the
VTY reflects sane values */
if (!g_upf->tunmap.table_name)
g_upf->tunmap.table_name = talloc_strdup(g_upf, "osmo-upf");
@@ -106,7 +229,7 @@
return -EIO;
}
- rc = upf_nft_run(upf_nft_tunmap_get_table_init_str(OTC_SELECT));
+ rc = upf_nft_run_now(upf_nft_tunmap_get_table_init_str(OTC_SELECT));
if (rc) {
LOGP(DNFT, LOGL_ERROR, "Failed to create nft table %s\n",
osmo_quote_str_c(OTC_SELECT, g_upf->tunmap.table_name,
-1));
@@ -114,7 +237,7 @@
}
LOGP(DNFT, LOGL_NOTICE, "Created nft table %s\n",
osmo_quote_str_c(OTC_SELECT, g_upf->tunmap.table_name, -1));
- rc = upf_nft_run(upf_nft_tunmap_get_vmap_init_str(OTC_SELECT));
+ rc = upf_nft_run_now(upf_nft_tunmap_get_vmap_init_str(OTC_SELECT));
if (rc) {
LOGP(DNFT, LOGL_ERROR, "Failed to initialize nft verdict map in
table %s\n", g_upf->tunmap.table_name);
return rc;
@@ -124,6 +247,7 @@
int upf_nft_free()
{
+ nft_queue_free(&g_nft_queue);
if (!g_upf->tunmap.nft_ctx)
return 0;
nft_ctx_free(g_upf->tunmap.nft_ctx);
@@ -263,11 +387,6 @@
return sb.chars_needed;
}
-static char *upf_nft_ruleset_tunmap_create_c(void *ctx, const struct
upf_nft_args *args)
-{
- OSMO_NAME_C_IMPL(ctx, 1024, "ERROR", upf_nft_ruleset_tunmap_create_buf,
args)
-}
-
static int upf_nft_ruleset_tunmap_delete_buf(char *buf, size_t buflen, const
struct upf_nft_args *args)
{
struct osmo_strbuf sb = { .buf = buf, .len = buflen };
@@ -280,11 +399,6 @@
return sb.chars_needed;
}
-static char *upf_nft_ruleset_tunmap_delete_c(void *ctx, const struct
upf_nft_args *args)
-{
- OSMO_NAME_C_IMPL(ctx, 512, "ERROR", upf_nft_ruleset_tunmap_delete_buf,
args)
-}
-
int upf_nft_tunmap_to_str_buf(char *buf, size_t buflen, const struct
upf_tunmap *tunmap)
{
struct osmo_strbuf sb = { .buf = buf, .len = buflen };
@@ -344,18 +458,28 @@
g_upf->tunmap.priority_post);
}
-char *upf_nft_tunmap_get_ruleset_str(void *ctx, struct upf_tunmap *tunmap)
+int upf_nft_tunmap_get_ruleset_str_buf(char *buf, size_t len, struct
upf_tunmap *tunmap)
{
struct upf_nft_args args;
upf_nft_args_from_tunmap(&args, tunmap);
- return upf_nft_ruleset_tunmap_create_c(ctx, &args);
+ return upf_nft_ruleset_tunmap_create_buf(buf, len, &args);
+}
+
+char *upf_nft_tunmap_get_ruleset_str(void *ctx, struct upf_tunmap *tunmap)
+{
+ OSMO_NAME_C_IMPL(ctx, 1024, "ERROR",
upf_nft_tunmap_get_ruleset_str_buf, tunmap)
+}
+
+int upf_nft_tunmap_get_ruleset_del_str_buf(char *buf, size_t len, struct
upf_tunmap *tunmap)
+{
+ struct upf_nft_args args;
+ upf_nft_args_from_tunmap(&args, tunmap);
+ return upf_nft_ruleset_tunmap_delete_buf(buf, len, &args);
}
char *upf_nft_tunmap_get_ruleset_del_str(void *ctx, struct upf_tunmap *tunmap)
{
- struct upf_nft_args args;
- upf_nft_args_from_tunmap(&args, tunmap);
- return upf_nft_ruleset_tunmap_delete_c(ctx, &args);
+ OSMO_NAME_C_IMPL(ctx, 1024, "ERROR",
upf_nft_tunmap_get_ruleset_del_str_buf, tunmap)
}
static int upf_nft_tunmap_ensure_chain_id(struct upf_nft_tun *tun)
@@ -373,10 +497,10 @@
if (upf_nft_tunmap_ensure_chain_id(&tunmap->access)
|| upf_nft_tunmap_ensure_chain_id(&tunmap->core))
return -ENOSPC;
- return upf_nft_run(upf_nft_tunmap_get_ruleset_str(OTC_SELECT, tunmap));
+ return nft_enqueue(&g_nft_queue, upf_nft_tunmap_get_ruleset_str_buf,
tunmap);
}
int upf_nft_tunmap_delete(struct upf_tunmap *tunmap)
{
- return upf_nft_run(upf_nft_tunmap_get_ruleset_del_str(OTC_SELECT,
tunmap));
+ return nft_enqueue(&g_nft_queue,
upf_nft_tunmap_get_ruleset_del_str_buf, tunmap);
}
diff --git a/tests/unique_ids/unique_ids_test.err
b/tests/unique_ids/unique_ids_test.err
index 246ea5a..8274f26 100644
--- a/tests/unique_ids/unique_ids_test.err
+++ b/tests/unique_ids/unique_ids_test.err
@@ -8,7 +8,7 @@
[test override] nft_run_cmd_from_buffer():
add table inet osmo-upf { flags owner; };
-DNFT DEBUG run nft ruleset: "add table inet osmo-upf { flags owner; };\n"
+DNFT DEBUG ran nft ruleset, 42 chars: "add table inet osmo-upf { flags owner;
};\n"
DNFT NOTICE Created nft table "osmo-upf"
[test override] nft_run_cmd_from_buffer():
@@ -19,7 +19,7 @@
add rule inet osmo-upf pre udp dport 2152 ip daddr . @ih,32,32 vmap
@tunmap-pre;
add rule inet osmo-upf post meta mark vmap @tunmap-post;
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf pre { type filter hook
prerouting priority -300; policy accept; };\nadd chain inet osmo-upf post {
type filter hook postrouting priority 400; policy accept; };\nadd map inet
osmo-upf tunmap-pre { typeof ip daddr . @ih,32,32 : verdict; };\nadd map inet
osmo-upf tunmap-post { typeof meta mark : verdict; };\nadd rule inet osmo-upf
pre udp dport 2152 ip daddr . @ih,32,32 vmap @tunmap-pre;\nadd rule inet
osmo-upf post meta mark vmap @tunmap-post;\n"
+DNFT DEBUG ran nft ruleset, 465 chars: "add chain inet osmo-upf pre { type
filter hook prerouting priority -300; policy accept; };\nadd chain inet
osmo-upf post { type filter hook postrouting priority 400; policy accept;
};\nadd map inet osmo-upf tunmap-pre { typeof ip daddr . @ih,32,32 :
verdict;..."
PFCP Associate peer
DPEER DEBUG up_peer{NOT_ASSOCIATED}: Allocated
@@ -58,6 +58,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: GTP actions: 0 previously
active; want active: 1
DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: want: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1 TEID-access-l:0x2
GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1 TEID-core-l:0x1
PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: enabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1 TEID-access-l:0x2
GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1 TEID-core-l:0x1
PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847
(flush count: 1 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
add chain inet osmo-upf tunmap-pre-1;
@@ -73,7 +75,8 @@
add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule
inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter
accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf
tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x101
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump
tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1
};\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2
ip daddr set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp
sport set 2152 @ih,32,32 set 0x100 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf
tunmap-post { 2 : jump tunmap-post-2 };\n"
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf
tunmap-pre-1;\nadd rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16
meta mark set 1 counter accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd
rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152
@ih,32,32..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100
GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101
GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2
PDR-core:1: Enabled tunmap, nft chain IDs: access--1-> <-2--core
[test override] PFCP tx:
@@ -123,6 +126,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: GTP actions: 0 previously
active; want active: 1
DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: want: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4
GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3
PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: enabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4
GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3
PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847
(flush count: 2 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
add chain inet osmo-upf tunmap-pre-3;
@@ -138,7 +143,8 @@
add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };
add element inet osmo-upf tunmap-post { 4 : jump tunmap-post-4 };
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-3;\nadd rule
inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter
accept;\nadd chain inet osmo-upf tunmap-post-3;\nadd rule inet osmo-upf
tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x103
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 : jump
tunmap-pre-3 };\nadd element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3
};\nadd chain inet osmo-upf tunmap-pre-4;\nadd rule inet osmo-upf tunmap-pre-4
ip daddr set 5.6.7.8 meta mark set 4 counter accept;\nadd chain inet osmo-upf
tunmap-post-4;\nadd rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 udp
sport set 2152 @ih,32,32 set 0x102 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };\nadd element inet osmo-upf
tunmap-post { 4 : jump tunmap-post-4 };\n"
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf
tunmap-pre-3;\nadd rule inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16
meta mark set 3 counter accept;\nadd chain inet osmo-upf tunmap-post-3;\nadd
rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152
@ih,32,32..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102
GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103
GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2
PDR-core:1: Enabled tunmap, nft chain IDs: access--3-> <-4--core
[test override] PFCP tx:
@@ -182,6 +188,8 @@
DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 0 (-)
DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event
UP_PEER_EV_USE_COUNT_ZERO
DSESSION NOTICE up_session(1-2-3-4-0x1){ESTABLISHED}: Session releasing:
peer:1.2.3.4 SEID-r:0x100 SEID-l:0x1 state:ESTABLISHED PDR-active:2/2
FAR-active:2/2 GTP-active:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381
(flush count: 3 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 };
@@ -193,7 +201,8 @@
delete chain inet osmo-upf tunmap-pre-2;
delete chain inet osmo-upf tunmap-post-2;
-DNFT DEBUG run nft ruleset: "delete element inet osmo-upf tunmap-pre { 1.1.1.1
. 0x2 };\ndelete element inet osmo-upf tunmap-post { 1 };\ndelete chain inet
osmo-upf tunmap-pre-1;\ndelete chain inet osmo-upf tunmap-post-1;\ndelete
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 };\ndelete element inet
osmo-upf tunmap-post { 2 };\ndelete chain inet osmo-upf tunmap-pre-2;\ndelete
chain inet osmo-upf tunmap-post-2;\n"
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x2 };\ndelete element inet osmo-upf tunmap-post { 1
};\ndelete chain inet osmo-upf tunmap-pre-1;\ndelete chain inet osmo-upf
tunmap-post-1;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1
};\ndelete ..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100
GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101
GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2
PDR-core:1: Disabled tunmap, nft chain IDs: access--1-> <-2--core
DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: State change to
WAIT_USE_COUNT (no timeout)
DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: GTP actions: 0
previously active; want active: 0
@@ -231,6 +240,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: GTP actions: 0 previously
active; want active: 1
DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: want: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2
GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1
PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: enabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2
GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1
PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847
(flush count: 4 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
add chain inet osmo-upf tunmap-pre-1;
@@ -246,7 +257,8 @@
add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-1;\nadd rule
inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter
accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf
tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x105
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump
tunmap-pre-1 };\nadd element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1
};\nadd chain inet osmo-upf tunmap-pre-2;\nadd rule inet osmo-upf tunmap-pre-2
ip daddr set 5.6.7.8 meta mark set 2 counter accept;\nadd chain inet osmo-upf
tunmap-post-2;\nadd rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp
sport set 2152 @ih,32,32 set 0x104 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };\nadd element inet osmo-upf
tunmap-post { 2 : jump tunmap-post-2 };\n"
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf
tunmap-pre-1;\nadd rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16
meta mark set 1 counter accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd
rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152
@ih,32,32..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104
GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105
GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2
PDR-core:1: Enabled tunmap, nft chain IDs: access--1-> <-2--core
[test override] PFCP tx:
@@ -296,6 +308,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: GTP actions: 0 previously
active; want active: 1
DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: want: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6
GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5
PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: enabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6
GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5
PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847
(flush count: 5 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
add chain inet osmo-upf tunmap-pre-5;
@@ -311,7 +325,8 @@
add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };
add element inet osmo-upf tunmap-post { 6 : jump tunmap-post-6 };
-DNFT DEBUG run nft ruleset: "add chain inet osmo-upf tunmap-pre-5;\nadd rule
inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter
accept;\nadd chain inet osmo-upf tunmap-post-5;\nadd rule inet osmo-upf
tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x107
counter accept;\nadd element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 : jump
tunmap-pre-5 };\nadd element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5
};\nadd chain inet osmo-upf tunmap-pre-6;\nadd rule inet osmo-upf tunmap-pre-6
ip daddr set 5.6.7.8 meta mark set 6 counter accept;\nadd chain inet osmo-upf
tunmap-post-6;\nadd rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 udp
sport set 2152 @ih,32,32 set 0x106 counter accept;\nadd element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };\nadd element inet osmo-upf
tunmap-post { 6 : jump tunmap-post-6 };\n"
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf
tunmap-pre-5;\nadd rule inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16
meta mark set 5 counter accept;\nadd chain inet osmo-upf tunmap-post-5;\nadd
rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152
@ih,32,32..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106
GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107
GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2
PDR-core:1: Enabled tunmap, nft chain IDs: access--5-> <-6--core
[test override] PFCP tx:
@@ -348,6 +363,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: GTP actions: 1 previously
active; want active: 0
DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: active: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6
GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5
PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: disabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6
GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5
PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381
(flush count: 6 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 };
@@ -359,7 +376,8 @@
delete chain inet osmo-upf tunmap-pre-6;
delete chain inet osmo-upf tunmap-post-6;
-DNFT DEBUG run nft ruleset: "delete element inet osmo-upf tunmap-pre { 1.1.1.1
. 0x6 };\ndelete element inet osmo-upf tunmap-post { 5 };\ndelete chain inet
osmo-upf tunmap-pre-5;\ndelete chain inet osmo-upf tunmap-post-5;\ndelete
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 };\ndelete element inet
osmo-upf tunmap-post { 6 };\ndelete chain inet osmo-upf tunmap-pre-6;\ndelete
chain inet osmo-upf tunmap-post-6;\n"
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x6 };\ndelete element inet osmo-upf tunmap-post { 5
};\ndelete chain inet osmo-upf tunmap-pre-5;\ndelete chain inet osmo-upf
tunmap-post-5;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5
};\ndelete ..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106
GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107
GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2
PDR-core:1: Disabled tunmap, nft chain IDs: access--5-> <-6--core
DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Freeing instance
DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Deallocated
@@ -368,6 +386,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: GTP actions: 1 previously
active; want active: 0
DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: active: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2
GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1
PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: disabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2
GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1
PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381
(flush count: 7 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 };
@@ -379,7 +399,8 @@
delete chain inet osmo-upf tunmap-pre-2;
delete chain inet osmo-upf tunmap-post-2;
-DNFT DEBUG run nft ruleset: "delete element inet osmo-upf tunmap-pre { 1.1.1.1
. 0x2 };\ndelete element inet osmo-upf tunmap-post { 1 };\ndelete chain inet
osmo-upf tunmap-pre-1;\ndelete chain inet osmo-upf tunmap-post-1;\ndelete
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 };\ndelete element inet
osmo-upf tunmap-post { 2 };\ndelete chain inet osmo-upf tunmap-pre-2;\ndelete
chain inet osmo-upf tunmap-post-2;\n"
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x2 };\ndelete element inet osmo-upf tunmap-post { 1
};\ndelete chain inet osmo-upf tunmap-pre-1;\ndelete chain inet osmo-upf
tunmap-post-1;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1
};\ndelete ..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104
GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105
GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2
PDR-core:1: Disabled tunmap, nft chain IDs: access--1-> <-2--core
DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Freeing instance
DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Deallocated
@@ -388,6 +409,8 @@
DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: GTP actions: 1 previously
active; want active: 0
DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: active: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4
GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3
PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: disabling: GTP:tunmap
GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4
GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3
PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381
(flush count: 8 avg rules per flush: 1)
[test override] nft_run_cmd_from_buffer():
delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 };
@@ -399,7 +422,8 @@
delete chain inet osmo-upf tunmap-pre-4;
delete chain inet osmo-upf tunmap-post-4;
-DNFT DEBUG run nft ruleset: "delete element inet osmo-upf tunmap-pre { 1.1.1.1
. 0x4 };\ndelete element inet osmo-upf tunmap-post { 3 };\ndelete chain inet
osmo-upf tunmap-pre-3;\ndelete chain inet osmo-upf tunmap-post-3;\ndelete
element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 };\ndelete element inet
osmo-upf tunmap-post { 4 };\ndelete chain inet osmo-upf tunmap-pre-4;\ndelete
chain inet osmo-upf tunmap-post-4;\n"
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf
tunmap-pre { 1.1.1.1 . 0x4 };\ndelete element inet osmo-upf tunmap-post { 3
};\ndelete chain inet osmo-upf tunmap-pre-3;\ndelete chain inet osmo-upf
tunmap-post-3;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3
};\ndelete ..."
DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102
GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103
GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2
PDR-core:1: Disabled tunmap, nft chain IDs: access--3-> <-4--core
DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Freeing instance
DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Deallocated
--
To view, visit https://gerrit.osmocom.org/c/osmo-upf/+/37762?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: osmo-upf
Gerrit-Branch: master
Gerrit-Change-Id: Ib0a8e86b29bab1559d94fc55a89daa00ec670318
Gerrit-Change-Number: 37762
Gerrit-PatchSet: 5
Gerrit-Owner: neels <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: osmith <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
