GTP Tunnel Mapping via nftables » History » Version 1
laforge, 12/06/2022 01:53 PM
| 1 | 1 | laforge | h1. GTP Tunnel Mapping via nftables |
|---|---|---|---|
| 2 | |||
| 3 | the idea here is that we map one GTP tunnel to another GTP tunnel by doing IP address + TEID rewrite inside the kernel via nftables. |
||
| 4 | |||
| 5 | h2. How the ruleset works |
||
| 6 | |||
| 7 | The ruleset for a @tunmap@ use case looks like this: |
||
| 8 | |||
| 9 | <pre> |
||
| 10 | table inet asdf { |
||
| 11 | chain tunmap1 { |
||
| 12 | type filter hook prerouting priority raw; policy accept; |
||
| 13 | meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; |
||
| 14 | meta l4proto udp ip daddr 127.0.2.2 @ih,32,32 0x2 ip saddr set 127.0.1.2 ip daddr set 127.0.0.2 @ih,32,32 set 0x7fe80001 counter; |
||
| 15 | } |
||
| 16 | } |
||
| 17 | </pre> |
||
| 18 | |||
| 19 | h4. defining the chain |
||
| 20 | |||
| 21 | <pre> |
||
| 22 | chain tunmap1 { |
||
| 23 | type filter hook prerouting priority raw; policy accept; |
||
| 24 | </pre> |
||
| 25 | |||
| 26 | this defines a chain (list of rules) attached to the _prerouting_ netfilter hook. If no rule hits, the packet shall simply be accepted (passed on unmodified). |
||
| 27 | |||
| 28 | _prerouting_ happens to all incoming packets before the routing decision (see "Netfilter hooks":https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks). This means the actual routing of the packet is done based on the packet _after_ the transformation rules have been applied. |
||
| 29 | |||
| 30 | h3. a single rule |
||
| 31 | |||
| 32 | One rule specifies the transformation to GTP packets in one direction. |
||
| 33 | |||
| 34 | <pre> |
||
| 35 | meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; |
||
| 36 | </pre> |
||
| 37 | |||
| 38 | Explanation of that rule: |
||
| 39 | |||
| 40 | * @meta l4proto udp@ matches on UDP packets |
||
| 41 | * @ip daddr 127.0.1.2@ matches packets with the stated destination IP address |
||
| 42 | * @@ih,32,32 0x1@ matches packet who contain the 32-bit value 0x00000001 32-bits _after_ the L4 (UDP) header |
||
| 43 | ** this matches the TEID in the GTP header, as it is a 32bit value 4 bytes after the start of the GTP header |
||
| 44 | * @ip saddr set 127.0.2.2@ changes the destination address to the given address |
||
| 45 | * @ip daddr set 127.0.0.3@ changes the destination address to the given address |
||
| 46 | * @@ih,32,32 set 0x7fe80002@ changes the 32-bit value 32-bits after the L4 (UDP) header to 0x7fe80002 |
||
| 47 | ** this overewrites the TEID inside the GTP header |
||
| 48 | * @counter@ adds a counter to the rule so we can see hof often it has been used (how many packets have matched it) |
