Project

General

Profile

GTP Tunnel Mapping via nftables » History » Revision 3

Revision 2 (laforge, 12/06/2022 01:56 PM) → Revision 3/4 (laforge, 12/06/2022 01:59 PM)

h1. GTP Tunnel Mapping via nftables 

 the idea here is that we map one GTP tunnel to another GTP tunnel by doing IP address + TEID rewrite inside the kernel via nftables. 

 h2. Notes 

 * we are treating the UPF tunnel-maping use case as a special case of an    _IP router_, which forwards packets between network interfaces.    For this to work, _IP forwarding_ must be enabled, just like on any Linux based router. 
 * the routing decision is made based on the new/rewritten packet.    So your IP routing tables must be set up in a way that the packet after transformation can be routed to its destination. 

 

 h2. How the ruleset works 

 The ruleset for a @tunmap@ use case looks like this: 

 <pre> 
 table inet asdf { 
         chain tunmap1 { 
                 type filter hook prerouting priority raw; policy accept; 
                 meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; 
                 meta l4proto udp ip daddr 127.0.2.2 @ih,32,32 0x2 ip saddr set 127.0.1.2 ip daddr set 127.0.0.2 @ih,32,32 set 0x7fe80001 counter; 
         } 
 } 

 note there are two rules for each GTP tunnel: One for each direction/flow. 

 
 </pre> 

 h4. defining the chain 

 <pre> 
 chain tunmap1 { 
         type filter hook prerouting priority raw; policy accept; 
 </pre> 

 this defines a chain (list of rules) attached to the _prerouting_ netfilter hook.    If no rule hits, the packet shall simply be accepted (passed on unmodified). 

 _prerouting_ happens to all incoming packets before the routing decision (see "Netfilter hooks":https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks).    This means the actual routing of the packet is done based on the packet _after_ the transformation rules have been applied. 

 h3. a single rule 

 One rule specifies the transformation to GTP packets in one direction. 

 <pre> 
 meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; 
 </pre> 

 Explanation of that rule: 

 * @meta l4proto udp@ matches on UDP packets 
 * @ip daddr 127.0.1.2@ matches packets with the stated destination IP address 
 * @@ih,32,32 0x1@ matches packet who contain the 32-bit value 0x00000001 32-bits _after_ the L4 (UDP) header 
 ** this matches the TEID in the GTP header, as it is a 32bit value 4 bytes after the start of the GTP header 
 * @ip saddr set 127.0.2.2@ changes the destination address to the given address 
 * @ip daddr set 127.0.0.3@ changes the destination address to the given address 
 * @@ih,32,32 set 0x7fe80002@ changes the 32-bit value 32-bits after the L4 (UDP) header to 0x7fe80002 
 ** this overewrites the TEID inside the GTP header 
 * @counter@ adds a counter to the rule so we can see hof often it has been used (how many packets have matched it) 
Add picture from clipboard (Maximum size: 48.8 MB)