From 77806ea88b197b0842ef1f26f9c4f1f535e4802b Mon Sep 17 00:00:00 2001 From: Neels Janosch Hofmeyr Date: Wed, 24 Jan 2024 03:14:37 +0100 Subject: [PATCH] manual: explain IP forwarding Change-Id: I7b54f9203c1a77efd43f90b9a1c0105bc5c3efde --- doc/manuals/chapters/running.adoc | 41 +++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/doc/manuals/chapters/running.adoc b/doc/manuals/chapters/running.adoc index eda1a6d..c0ba066 100644 --- a/doc/manuals/chapters/running.adoc +++ b/doc/manuals/chapters/running.adoc @@ -226,3 +226,44 @@ tunmap When running more than one osmo-upf process on a system, pick distinct table names to avoid name collisions in the nftables rulesets. + +=== IP Forwarding + +In order to allow forwarding GTP payloads, the Linux operating system must +be configured to allow IP forwarding. + +Note that there are many distribution-specific ways to configure this, and there +might be higher-level firewall rule management software available like `ufw`. +You should configure firewall rules matching your distribution and setup. + +To allow IP forwarding from and to all interfaces globally in a reboot-safe way, +you may put a line like this in /etc/sysctl.conf: + +---- +net.ipv4.ip_forward=1 +---- + +To do the same in an ad-hoc way that is not reboot safe but takes effect +immediately: + +---- +sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" +---- + +It is also possible to instruct the firewall to allow IP forwarding for specific +network devices only. For example, on a Debian based system, place an nft +ruleset like this in `/etc/nftables.conf`: + +---- +define gtp_netdevs = { eth0, eth23 }; + +table inet filter { + chain forward { + type filter hook forward priority filter; policy drop; + iifname $gtp_netdevs oifname $gtp_netdevs udp dport 2152 accept + } +} +---- + +This ruleset allows IP forwarding, but limited to the GTP-U port 2152, +and to two specific network devices eth0 and eth23.