fixeria has submitted this change. (
https://gerrit.osmocom.org/c/osmo-hnbgw/+/41752?usp=email )
Change subject: nft_kpi: add udp/2152 filtering rules separately
......................................................................
nft_kpi: add udp/2152 filtering rules separately
Mixing declarative and imperative syntax is supported by recent
nftables versions, but is known to be broken in older releases.
This affects the nftables version currently provided by Osmocom
for Debian 12 (bookworm): 1.0.6.3~osmocom.429.7d98.
As a result, the generated ruleset ends up accepting all packets rather
than only udp/2152 as intended. Consequently, the nftables counters do
not reflect GTP-U traffic alone, but also include signalling traffic.
Let's work this around by adding the udp/2152 filtering rules separately
using the imperative syntax. Split the logic for adding a chain into
a separate function to avoid code duplication.
Change-Id: I36eb3b18751fc029297fb91545af2d28e61067fd
Related: SYS#7808
---
M src/osmo-hnbgw/nft_kpi.c
1 file changed, 19 insertions(+), 14 deletions(-)
Approvals:
Jenkins Builder: Verified
pespin: Looks good to me, but someone else must approve
osmith: Looks good to me, but someone else must approve
fixeria: Looks good to me, approved
diff --git a/src/osmo-hnbgw/nft_kpi.c b/src/osmo-hnbgw/nft_kpi.c
index f8671fc..3513688 100644
--- a/src/osmo-hnbgw/nft_kpi.c
+++ b/src/osmo-hnbgw/nft_kpi.c
@@ -324,6 +324,23 @@
LOGP(DNFT, LOGL_DEBUG, "thread %s: successfully allocated nft ctx\n",
g_nft_thread->label);
}
+static void _nft_add_chain(struct osmo_strbuf *sb,
+ const char *chain_name,
+ const char *hook)
+{
+ /* add a chain */
+ OSMO_STRBUF_PRINTF(*sb,
+ "add chain inet %s %s {"
+ " type filter hook %s priority 0; policy accept;"
+ "};\n",
+ g_nft_thread->table_name, chain_name, hook);
+ /* accept (ignore) all traffic other than GTP-U (udp/2152) */
+ OSMO_STRBUF_PRINTF(*sb, "add rule inet %s %s ip protocol != udp
accept;\n",
+ g_nft_thread->table_name, chain_name);
+ OSMO_STRBUF_PRINTF(*sb, "add rule inet %s %s udp dport != 2152
accept;\n",
+ g_nft_thread->table_name, chain_name);
+}
+
/* worker thread */
static int do_init_table(void)
{
@@ -332,20 +349,8 @@
/* add global nftables structures */
OSMO_STRBUF_PRINTF(sb, "add table inet %s { flags owner; };\n",
g_nft_thread->table_name);
- OSMO_STRBUF_PRINTF(sb,
- "add chain inet %s gtpu-ul {"
- " type filter hook prerouting priority 0; policy
accept;"
- " ip protocol != udp accept;"
- " udp dport != 2152 accept;"
- "};\n",
- g_nft_thread->table_name);
- OSMO_STRBUF_PRINTF(sb,
- "add chain inet %s gtpu-dl {"
- " type filter hook postrouting priority 0; policy
accept;"
- " ip protocol != udp accept;"
- " udp dport != 2152 accept;"
- "};\n",
- g_nft_thread->table_name);
+ _nft_add_chain(&sb, "gtpu-ul", "prerouting");
+ _nft_add_chain(&sb, "gtpu-dl", "postrouting");
OSMO_ASSERT(sb.chars_needed < sizeof(cmd));
return nft_run_now(cmd, NULL, NULL);
--
To view, visit https://gerrit.osmocom.org/c/osmo-hnbgw/+/41752?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: osmo-hnbgw
Gerrit-Branch: master
Gerrit-Change-Id: I36eb3b18751fc029297fb91545af2d28e61067fd
Gerrit-Change-Number: 41752
Gerrit-PatchSet: 5
Gerrit-Owner: fixeria <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: neels <[email protected]>
Gerrit-Reviewer: osmith <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-CC: laforge <[email protected]>
