implement GTP tunnel mapping via netfilter

Implement support for PFCP rulesets that ask for mapping a GTP tunnel:
forwarding GTP payload between two GTP tunnels.

For a GTP tunnel mapping, dispatch netfilter rules that detect GTP
packets with a given source address and TEID, and replace the TEID and
destination address according to the PFCP ruleset.

The netfilter implementation is chosen to effect the packet rewriting
and forwarding to take place directly in the kernel, for high throughput
of GTP packets.

Related: SYS#5599
Change-Id: Ic0d319eb4f98cd51a5999c804c4203ab0bdda650

include/osmocom/upf/upf.h

@@ -33,6 +33,7 @@ struct osmo_tdef;
 struct ctrl_handle;
 
 struct upf_gtp_dev;
+struct nft_ctx;
 
 #define UPF_PFCP_LISTEN_DEFAULT "0.0.0.0"
 
@@ -72,6 +73,8 @@ struct g_upf {
 		struct pfcp_vty_cfg vty_cfg;
 		struct up_endpoint *ep;
 	} pfcp;
+
+	/* Tunnel encaps decaps via GTP kernel module */
 	struct {
 		/* if true, don't actually send commands to the GTP kernel module, just return success. */
 		bool mockup;
@@ -85,6 +88,17 @@ struct g_upf {
 		struct mnl_socket *nl;
 		int32_t genl_id;
 	} gtp;
+
+	/* Tunnel forwarding via linux netfilter */
+	struct {
+		/* if true, don't actually send commands to nftables, just return success. */
+		bool mockup;
+
+		struct nft_ctx *nft_ctx;
+		char *table_name;
+		int priority;
+		uint32_t next_id_state;
+	} nft;
 };
 
 extern struct g_upf *g_upf;
@@ -94,6 +108,7 @@ enum upf_log_subsys {
 	DPEER,
 	DSESSION,
 	DGTP,
+	DNFT,
 };
 
 void g_upf_alloc(void *ctx);

include/osmocom/upf/upf_nft.h

@@ -27,6 +27,8 @@
 
 #include <osmocom/core/socket.h>
 
+#define NFT_CHAIN_NAME_PREFIX_TUNMAP "tunmap"
+
 struct upf_nft_tunmap_desc {
 	struct {
 		struct osmo_sockaddr gtp_remote_addr;