Since recently (see the related commit), libnftables installs
a systemd unit file that loads a ruleset from a file on boot.
contrib/jenkins.sh currently fails with the following error:
/usr/bin/install: cannot create regular file
'/lib/systemd/system/nftables.service':
Permission denied
Let's specify the unit directory like we do for other projects.
Change-Id: I9ab473dd6f734606518a980152fd4b00c2e23690
Related: nftables.git c4b17cf8305108f91d8e63880317a59e8e806c80
In tunmap scenario there's usually 2 PDRs/local-F-TEIDs per session,
hence it makes sense to at least double the hashtable size with respect
to session hashtable. In here we actually multiply it by 2 twice since
this is actually global and not per peer, hence we account for multiple
peers.
Change-Id: I7ee3e875020d707c05e13ee70952174ca4daad30
During a 200K session setup, this can still take quite a noticeable
amount of time (20% of a full CPU) during session creation.
Change-Id: I424778a4c75000fb67ba4725a6a3e3e91a80fc76
This is used every time a new PFCP session was being allocated.
It allows looking up if a given UP SEID exists in any of the peers.
Before this patch, iterating over tens/hundreds of UP peers on every
session creation took 38% of a full CPU.
Change-Id: I617b405e59a3435a1c4912bf4161bc9e036754b4
Use this hashtable while looking up for tunend based on
<access.local.teid, access.remote.teid, access.remote.addr>.
This kind of look up is used every time a session is added or removed,
which means potentially thousands of tunend sessions were being iterated
linerarly every time.
For simplification (easier/quicker hashtable key generation), reduce the
whole key presented above to a more general one based on
"access.local.teid". This is usually enough since we are anyways
allocating local TEIDs globally per tunnel without caring about remote
address.
Change-Id: Ib12ecc8ce87175071c52c0ed2217a29d901f0f05
This lookup was taking ages specially when UPF already managed thousands
of sessions.
Related: SYS#6398
Change-Id: I7df8fd945eedbda98bd08e9fb2f382e0f55c2983
This is a hot path when creating new sessions. Previous code would take
ages specially when UPF already had thousands of sessions created and a
new TEID to allocate was being looked up.
Related: SYS#6398
Change-Id: I90ecbb07b242c1de2298261019f24aa5f5810fda
If osmo-upf crashes without running the destructor, we may have a
leftover gtp device. This can be simulated with "killall -9 osmo-upf".
Clean it up automatically.
Related: SYS#7240
Depends: libgtpnl Ib99bd8eed854014a5c9118c23e4058a41f3145f2
Change-Id: I7bb5c1ed51f4e05964688ee77b8de77fd3c0f345
Allow sending GTPv1-U Echo Requests to GTP peers via new VTY command
gtp1u-echo send to (A.B.C.D|X:X::X:X)
gtp1u-echo send to (A.B.C.D|X:X::X:X) local-ip (A.B.C.D|X:X::X:X)
gtp1u-echo send to (A.B.C.D|X:X::X:X) local-dev DEV_NAME
Related: OS#6541
Tweaked-by: Oliver Smith <osmith@sysmocom.de>
Change-Id: I970dccd7a27b098eea9e660822e24e2c4b059fc6
Store nftables ruleset commands for a limited time and a limited volume
before submitting in batch, in order to minimize the overhead associated
with submitting nftables commands.
Configurable by 'timer nft X32' and 'X33'
Change-Id: Ib0a8e86b29bab1559d94fc55a89daa00ec670318
Makes it easier to find the right one later.
This will be used to fetch the UPF chosen TEIDs from PFCP responses in
upcoming "n-sessions [4/4]" I74a21cc31296ab89a2acda1da8ae9693c1992e66.
Related: SYS#6590
Change-Id: Ic343494001c70a84f3402ce5749d08e729551b26
Support receiving of Echo Responses, so far showed an error log for
unsupported message type. Just log the message.
Prep for upcoming patch to allow sending Echo Requests from VTY.
Change-Id: Idad417746a1ea797e8fbfe04ca9c84923a6118fa
Like e.g. in osmo-msc.git, osmo-bsc.git, use wildcard $(srcdir)/*.vty to
make sure we never forget to distribute committed VTY test scripts.
Change-Id: If4dca81ce287ce1b1af32057634af912a8b89665
Do not attempt to change permissions/ownership if the package gets
upgraded from a version higher than the next release.
Do not fail if the user deleted the config file.
Be verbose when changing permissions.
Related: OS#4107
Change-Id: I8994759df644d6edd8f937051b95690537b749be
We see GTP-U originating from ports other than 2152 in the field. When
osmo-upf forwards these, we want to forward from our GTP-U port 2152,
since that is the only port osmo-upf has bound for GTP-U (for echo).
According to 3GPP TS 29.060, the *destination* port for GTP-U shall be
2152 -- but the source port is apparently allowed to be different.
Before this patch, we would forward GTP-U like this:
3.3.3.3:33333 -> (3.3.3.4:2152 UPF 2.2.2.2:33333) -> 1.1.1.1:2152
^^^^^
Instead we want to always send from UDP source port 2152:
3.3.3.3:33333 -> (3.3.3.4:2152 UPF 2.2.2.2:2152) -> 1.1.1.1:2152
^^^^
This hasn't shown up before because so far all GTP-U peers we saw
consistently used source port 2152.
Related: SYS#6773
Change-Id: Idaf43f1c2b915846b50a8b97305f0229e34ad539
Set CAP_NET_ADMIN so osmo-upf can set up GTP tunends and tunmaps even if
running as user.
Fix for:
Operation not permitted (you must be root)
netlink: Error: cache initialization failed: Operation not permitted
20240430095022378 DNFT ERROR error running nft ruleset: rc=-1 ruleset="add table inet osmo-upf { flags owner; };\n" (upf_nft.c:79)
20240430095022378 DNFT ERROR Failed to create nft table "osmo-upf" (upf_nft.c:111)
Fixes: OS#6444
Change-Id: I17b21ad92837ad360d667248f3f002d44251891c
* Explicitly chown /var/lib/osmocom to osmocom:osmocom, instead of
relying on systemd to do it when the service starts up. This does not
work with the systemd versions in debian 10 and almalinux 8.
* deb: Use "useradd" instead of the interactive "adduser" perl script
from Debian. This makes it consistent with how we do it in rpm, and
avoids the dependency on "adduser".
* deb: Consistently use tabs through the file, instead of mixing tabs
and spaces.
* deb: Remove support for the "dpkg-statoverride --list" logic. This
seems to be a rather obscure feature to override permissions for
certain files or directories, for which it does not seem to be a good
idea to make the postinst script less maintainable. Something similar
can be achieved by using your own Osmocom config file in a different
path with different permissions.
Related: OS#4107
Change-Id: Ib129217f6aff713d1d0e7aa831b4b54823e9bade
Create osmocom user & group during package installation.
Fix the configuration dir/files permission to match.
Related: OS#4107
Tweaked-By: Oliver Smith <osmith@sysmocom.de>
Change-Id: I6caa561eff63d6ee58b5c7b0f8c69bfd2d134eb3
I'd like to add more sub-levels in an upcoming commit, and the levels
are becoming too many. So let's get rid of one depth level in the
'Running osmo-upf' chapter.
Change-Id: I0bd43300aa4b45315ea58ab35c77da005d1a4fa4
From time to time we see sporadic master build failures on Jenkins
because git fails to clone one of the repositories:
```
Cloning into 'nftables'...
error: garbage at end of loose object '0ca03ecd6ab3cfdc94f8f9ef6e3a7c40d1aa7195'
fatal: loose object 0ca03ecd6ab3cfdc94f8f9ef6e3a7c40d1aa7195
(stored in /build/libnftnl/nftables/.git/objects/0c/a03ecd6ab3cfdc94f8f9ef6e3a7c40d1aa7195) is corrupt
Cloning into 'libnftnl'...
fatal: unable to access 'https://git.netfilter.org/libnftnl/':
Failed to connect to git.netfilter.org port 443: Connection timed out
```
Running git with GIT_CURL_VERBOSE=true reveals that the server is using
an old "dumb" git protocol, so the client is sending hundreds of HTTP
requests to the server. I also noticed that cloning via http[s]://
takes significantly more time than cloning via git://, because of the
old protocol being used.
```
$ time git clone https://git.netfilter.org/nftables
...
real 1m16.848s
user 0m4.867s
sys 0m1.883s
$ time git clone git://git.netfilter.org/nftables
...
real 0m2.453s
user 0m1.180s
sys 0m0.158s
```
According to [1], there is a more modern "smart" protocol, which is
relatively more stable and fast. However it's not supported by the
remote server, so let's use git:// as a workaround.
[1] https://www.git-scm.com/docs/http-protocol
Change-Id: I8e943c74052cc74eae8dc1d80ab243f792a90156
Coverity complains about a supposedly missing NULL check for the pointer 'pdr', that check
however happens before the function in question is called.
It makes sense to be consistent inside the function, so remove the NULL check before calling
'pdr_del', because we don't NULL check anywhere else in the function either.
Fixes: Coverity scan CID#307494
Change-Id: Ia33e4211b4a24abc87c3c2ceffe807ca3322f29d
