GTP Tunnel Mapping via nftables » History » Version 1
laforge, 12/06/2022 01:53 PM
1 | 1 | laforge | h1. GTP Tunnel Mapping via nftables |
---|---|---|---|
2 | |||
3 | the idea here is that we map one GTP tunnel to another GTP tunnel by doing IP address + TEID rewrite inside the kernel via nftables. |
||
4 | |||
5 | h2. How the ruleset works |
||
6 | |||
7 | The ruleset for a @tunmap@ use case looks like this: |
||
8 | |||
9 | <pre> |
||
10 | table inet asdf { |
||
11 | chain tunmap1 { |
||
12 | type filter hook prerouting priority raw; policy accept; |
||
13 | meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; |
||
14 | meta l4proto udp ip daddr 127.0.2.2 @ih,32,32 0x2 ip saddr set 127.0.1.2 ip daddr set 127.0.0.2 @ih,32,32 set 0x7fe80001 counter; |
||
15 | } |
||
16 | } |
||
17 | </pre> |
||
18 | |||
19 | h4. defining the chain |
||
20 | |||
21 | <pre> |
||
22 | chain tunmap1 { |
||
23 | type filter hook prerouting priority raw; policy accept; |
||
24 | </pre> |
||
25 | |||
26 | this defines a chain (list of rules) attached to the _prerouting_ netfilter hook. If no rule hits, the packet shall simply be accepted (passed on unmodified). |
||
27 | |||
28 | _prerouting_ happens to all incoming packets before the routing decision (see "Netfilter hooks":https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks). This means the actual routing of the packet is done based on the packet _after_ the transformation rules have been applied. |
||
29 | |||
30 | h3. a single rule |
||
31 | |||
32 | One rule specifies the transformation to GTP packets in one direction. |
||
33 | |||
34 | <pre> |
||
35 | meta l4proto udp ip daddr 127.0.1.2 @ih,32,32 0x1 ip saddr set 127.0.2.2 ip daddr set 127.0.0.3 @ih,32,32 set 0x7fe80002 counter; |
||
36 | </pre> |
||
37 | |||
38 | Explanation of that rule: |
||
39 | |||
40 | * @meta l4proto udp@ matches on UDP packets |
||
41 | * @ip daddr 127.0.1.2@ matches packets with the stated destination IP address |
||
42 | * @@ih,32,32 0x1@ matches packet who contain the 32-bit value 0x00000001 32-bits _after_ the L4 (UDP) header |
||
43 | ** this matches the TEID in the GTP header, as it is a 32bit value 4 bytes after the start of the GTP header |
||
44 | * @ip saddr set 127.0.2.2@ changes the destination address to the given address |
||
45 | * @ip daddr set 127.0.0.3@ changes the destination address to the given address |
||
46 | * @@ih,32,32 set 0x7fe80002@ changes the 32-bit value 32-bits after the L4 (UDP) header to 0x7fe80002 |
||
47 | ** this overewrites the TEID inside the GTP header |
||
48 | * @counter@ adds a counter to the rule so we can see hof often it has been used (how many packets have matched it) |