GTP Tunnel Mapping via nftables » History » Revision 3
Revision 2 (laforge, 12/06/2022 01:56 PM) → Revision 3/4 (laforge, 12/06/2022 01:59 PM)
h1. GTP Tunnel Mapping via nftables the idea here is that we map one GTP tunnel to another GTP tunnel by doing IP address + TEID rewrite inside the kernel via nftables. h2. Notes * we are treating the UPF tunnel-maping use case as a special case of an _IP router_, which forwards packets between network interfaces. For this to work, _IP forwarding_ must be enabled, just like on any Linux based router. * the routing decision is made based on the new/rewritten packet. So your IP routing tables must be set up in a way that the packet after transformation can be routed to its destination. h2. How the ruleset works The ruleset for a @tunmap@ use case looks like this: <pre> table inet asdf { chain tunmap1 { type filter hook prerouting priority raw; policy accept; meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; meta l4proto udp ip daddr 127.0.2.2 @ih,32,32 0x2 ip saddr set 127.0.1.2 ip daddr set 127.0.0.2 @ih,32,32 set 0x7fe80001 counter; } } note there are two rules for each GTP tunnel: One for each direction/flow. </pre> h4. defining the chain <pre> chain tunmap1 { type filter hook prerouting priority raw; policy accept; </pre> this defines a chain (list of rules) attached to the _prerouting_ netfilter hook. If no rule hits, the packet shall simply be accepted (passed on unmodified). _prerouting_ happens to all incoming packets before the routing decision (see "Netfilter hooks":https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks). This means the actual routing of the packet is done based on the packet _after_ the transformation rules have been applied. h3. a single rule One rule specifies the transformation to GTP packets in one direction. <pre> meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; </pre> Explanation of that rule: * @meta l4proto udp@ matches on UDP packets * @ip daddr 127.0.1.2@ matches packets with the stated destination IP address * @@ih,32,32 0x1@ matches packet who contain the 32-bit value 0x00000001 32-bits _after_ the L4 (UDP) header ** this matches the TEID in the GTP header, as it is a 32bit value 4 bytes after the start of the GTP header * @ip saddr set 127.0.2.2@ changes the destination address to the given address * @ip daddr set 127.0.0.3@ changes the destination address to the given address * @@ih,32,32 set 0x7fe80002@ changes the 32-bit value 32-bits after the L4 (UDP) header to 0x7fe80002 ** this overewrites the TEID inside the GTP header * @counter@ adds a counter to the rule so we can see hof often it has been used (how many packets have matched it)