Project

General

Profile

Actions
History

Wiki »

GTP Tunnel Mapping via nftables

the idea here is that we map one GTP tunnel to another GTP tunnel by doing IP address + TEID rewrite inside the kernel via nftables.

Notes

  • we are treating the UPF tunnel-maping use case as a special case of an IP router, which forwards packets between network interfaces. For this to work, IP forwarding must be enabled, just like on any Linux based router.
  • the routing decision is made based on the new/rewritten packet. So your IP routing tables must be set up in a way that the packet after transformation can be routed to its destination.

How the ruleset works

The ruleset for a tunmap use case looks like this:

table inet asdf {
        chain tunmap1 {
                type filter hook prerouting priority raw; policy accept;
                meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter;
                meta l4proto udp ip daddr 127.0.2.2 @ih,32,32 0x2 ip saddr set 127.0.1.2 ip daddr set 127.0.0.2 @ih,32,32 set 0x7fe80001 counter;
        }
}

note there are two rules for each GTP tunnel: One for each direction/flow.

defining the chain

chain tunmap1 {
        type filter hook prerouting priority raw; policy accept;

this defines a chain (list of rules) attached to the prerouting netfilter hook. If no rule hits, the packet shall simply be accepted (passed on unmodified).

prerouting happens to all incoming packets before the routing decision (see Netfilter hooks). This means the actual routing of the packet is done based on the packet after the transformation rules have been applied.

a single rule

One rule specifies the transformation to GTP packets in one direction.

meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter;

Explanation of that rule:

  • meta l4proto udp matches on UDP packets
  • ip daddr 127.0.1.2 matches packets with the stated destination IP address
  • @ih,32,32 0x1 matches packet who contain the 32-bit value 0x00000001 located 32-bits after the L4 (UDP) header
    • this matches the TEID in the GTP header, as it is a 32bit value 4 bytes after the start of the GTP header
  • ip saddr set 127.0.2.2 changes the destination address to the given address
  • ip daddr set 127.0.0.3 changes the destination address to the given address
  • @ih,32,32 set 0x7fe80002 changes the 32-bit value located 32-bits after the L4 (UDP) header to 0x7fe80002
    • this overewrites the TEID inside the GTP header
  • counter adds a counter to the rule so we can see hof often it has been used (how many packets have matched it)
Files (0)

Updated by laforge over 1 year ago · 4 revisions

Add picture from clipboard (Maximum size: 48.8 MB)