Bump version: 0.1.1.112-9c90 → 0.2.0

Change-Id: I772edbd17fcac0da597c30eecefa54f9fd8c3ed3

Makefile.am

@@ -19,7 +19,6 @@ SUBDIRS = \
 BUILT_SOURCES = $(top_srcdir)/.version
 EXTRA_DIST = \
 	     .version \
-	     contrib/osmo-upf.spec.in \
 	     debian \
 	     git-version-gen \
 	     osmoappdesc.py \

TODO-RELEASE

@@ -1,9 +1,9 @@
 # When cleaning up this file: bump API version in corresponding Makefile.am and rename corresponding debian/lib*.install
-# according to https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html#Updating-version-info
-# In short:
+# according to https://osmocom.org/projects/cellular-infrastructure/wiki/Make_a_new_release
+# In short: https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html#Updating-version-info
 # LIBVERSION=c:r:a
 # If the library source code has changed at all since the last update, then increment revision: c:r + 1:a.
-# If any interfaces have been added, removed, or changed since the last update: c + 1:0:0.
+# If any interfaces have been added, removed, or changed since the last update: c + 1:0:a.
 # If any interfaces have been added since the last public release: c:r:a + 1.
 # If any interfaces have been removed or changed since the last public release: c:r:0.
-#library	what		description / commit summary line
+#library	what			description / commit summary line

configure.ac

@@ -36,11 +36,11 @@ fi
 PKG_PROG_PKG_CONFIG([0.20])
 
 dnl checks for libraries
-PKG_CHECK_MODULES(LIBOSMOCORE, libosmocore >= 1.6.0)
-PKG_CHECK_MODULES(LIBOSMOVTY, libosmovty >= 1.6.0)
-PKG_CHECK_MODULES(LIBOSMOCTRL, libosmoctrl >= 1.6.0)
-PKG_CHECK_MODULES(LIBOSMOPFCP, libosmo-pfcp >= 0.1.0)
-PKG_CHECK_MODULES(LIBGTPNL, libgtpnl >= 1.2.0)
+PKG_CHECK_MODULES(LIBOSMOCORE, libosmocore >= 1.10.0)
+PKG_CHECK_MODULES(LIBOSMOVTY, libosmovty >= 1.10.0)
+PKG_CHECK_MODULES(LIBOSMOCTRL, libosmoctrl >= 1.10.0)
+PKG_CHECK_MODULES(LIBOSMOPFCP, libosmo-pfcp >= 0.4.0)
+PKG_CHECK_MODULES(LIBGTPNL, libgtpnl >= 1.3.0)
 PKG_CHECK_MODULES(LIBNFTABLES, libnftables >= 1.0.2)
 
 dnl checks for header files
@@ -203,6 +203,7 @@ AC_OUTPUT(
     src/osmo-pfcp-tool/Makefile
     tests/Makefile
     tests/atlocal
+    tests/unique_ids/Makefile
     doc/Makefile
     doc/examples/Makefile
     doc/manuals/Makefile

contrib/jenkins.sh

@@ -50,8 +50,12 @@ build_from_netfilter() {
 	git clone "git://git.netfilter.org/$project" "$project"
 	cd "$project"
 	autoreconf --install --force
-	./configure --prefix="$inst/stow/$project" --without-cli --disable-man-doc
-	$MAKE install
+	./configure \
+		--prefix="$inst/stow/$project" \
+		--without-cli \
+		--disable-man-doc \
+		--enable-python=no
+	$MAKE $PARALLEL_MAKE install
 	STOW_DIR="$inst/stow" stow --restow $project
 }
 build_from_netfilter libnftnl

contrib/osmo-pfcp-tool-scripts/osmo-pfcp-tool.cfg

@@ -1,4 +1,10 @@
 log stderr
+ logging color 1
+ logging print category-hex 0
+ logging print category 1
+ logging timestamp 0
+ logging print file basename last
+ logging print level 1
  logging level set-all info
 
 local-addr 127.0.0.2

contrib/osmo-pfcp-tool-scripts/osmo-upf-11.cfg

@@ -1,11 +1,11 @@
 log stderr
  logging filter all 1
  logging color 1
- logging print level 1
- logging print category 1
  logging print category-hex 0
+ logging print category 1
+ logging timestamp 0
  logging print file basename last
- logging print extended-timestamp 1
+ logging print level 1
  logging level set-all notice
  logging level set-all info
  logging level session debug

contrib/osmo-pfcp-tool-scripts/osmo-upf-12.cfg

@@ -1,11 +1,11 @@
 log stderr
  logging filter all 1
  logging color 1
- logging print level 1
- logging print category 1
  logging print category-hex 0
+ logging print category 1
+ logging timestamp 0
  logging print file basename last
- logging print extended-timestamp 1
+ logging print level 1
  logging level set-all notice
  logging level set-all info
  logging level session debug
@@ -23,3 +23,7 @@ pfcp
  local-addr 127.0.0.12
 tunmap
  table-name osmo-upf-12
+
+# gtp-dev only for GTP-U Echo service
+tunend
+ dev create gtp-echo-12 127.0.0.12

contrib/osmo-pfcp-tool-scripts/tunend_session_est.vty

@@ -1,5 +1,5 @@
 timer pfcp x23 0
-pfcp-peer 127.0.0.1
+pfcp-peer 127.0.0.11
  tx assoc-setup-req
  sleep 1
  session tunend

contrib/osmo-upf.spec.in

@@ -1,92 +0,0 @@
-#
-# spec file for package osmo-upf
-#
-# Copyright (c) 2017, Martin Hauke <mardnh@gmx.de>
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-## Disable LTO for now since it breaks compilation of the tests
-## https://osmocom.org/issues/4113
-%define _lto_cflags %{nil}
-
-Name:           osmo-upf
-Version:        @VERSION@
-Release:        0
-Summary:        OsmoUPF: Osmocom User Plane Function
-License:        AGPL-3.0-or-later AND GPL-2.0-or-later
-Group:          Hardware/Mobile
-URL:            https://osmocom.org/projects/osmo-upf
-Source:         %{name}-%{version}.tar.xz
-BuildRequires:  autoconf-archive
-BuildRequires:  automake >= 1.9
-BuildRequires:  libtool >= 2
-BuildRequires:  lksctp-tools-devel
-BuildRequires:  pkgconfig >= 0.20
-%if 0%{?suse_version}
-BuildRequires:  systemd-rpm-macros
-%endif
-BuildRequires:  pkgconfig(libgtpnl) >= 1.2.0
-BuildRequires:  pkgconfig(libnftables) >= 1.0.2
-BuildRequires:  pkgconfig(libosmocore) >= 1.6.0
-BuildRequires:  pkgconfig(libosmoctrl) >= 1.6.0
-BuildRequires:  pkgconfig(libosmovty) >= 1.6.0
-BuildRequires:  pkgconfig(libosmo-pfcp) >= 0.1.0
-BuildRequires:  pkgconfig(talloc)
-%{?systemd_requires}
-
-%description
-OsmoUPF: Osmocom User Plane Function
-
-%prep
-%setup -q
-
-%build
-echo "%{version}" >.tarball-version
-autoreconf -fi
-%configure \
-  --docdir=%{_docdir}/%{name} \
-  --with-systemdsystemunitdir=%{_unitdir}
-make %{?_smp_mflags}
-
-%install
-%make_install
-
-%if 0%{?suse_version}
-%preun
-%service_del_preun %{name}.service
-
-%postun
-%service_del_postun %{name}.service
-
-%pre
-%service_add_pre %{name}.service
-
-%post
-%service_add_post %{name}.service
-%endif
-
-%check
-make %{?_smp_mflags} check || (find . -name testsuite.log -exec cat {} +)
-
-%files
-%license COPYING
-%doc AUTHORS README.md
-%{_bindir}/osmo-upf
-%{_bindir}/osmo-pfcp-tool
-%dir %{_docdir}/%{name}/examples
-%dir %{_docdir}/%{name}/examples/osmo-upf
-%{_docdir}/%{name}/examples/osmo-upf/osmo-upf.cfg
-%{_docdir}/%{name}/examples/osmo-upf/osmo-upf-create-dev.cfg
-%{_docdir}/%{name}/examples/osmo-upf/osmo-upf-mockup.cfg
-%dir %{_sysconfdir}/osmocom
-%config(noreplace) %{_sysconfdir}/osmocom/osmo-upf.cfg
-%{_unitdir}/%{name}.service
-
-%changelog

contrib/systemd/osmo-upf.service

@@ -1,13 +1,18 @@
 [Unit]
 Description=Osmocom User Plane Function (UPF)
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=simple
 StateDirectory=osmocom
 WorkingDirectory=%S/osmocom
 Restart=always
+User=osmocom
+Group=osmocom
 ExecStart=/usr/bin/osmo-upf -c /etc/osmocom/osmo-upf.cfg
 RestartSec=2
+AmbientCapabilities=CAP_NET_ADMIN
 
 [Install]
 WantedBy=multi-user.target

debian/changelog

@@ -1,3 +1,133 @@
+osmo-upf (0.2.0) unstable; urgency=medium
+
+  [ Neels Hofmeyr ]
+  * improve manual: PFCP and GTP interfaces
+  * example cfg: tweak logging
+
+  [ Oliver Smith ]
+  * osmo_pfcp_tool: fix osmo_pfcp_tool_copyright error
+  * debian: add osmo-pfcp-tool to osmo-upf package
+  * Run struct_endianness.py
+  * contrib/jenkins: build nftables without python
+  * contrib/jenkins: clone netfilter repos with https
+  * contrib/jenkins: netfilter: use PARALLEL_MAKE
+  * debian: set compat level to 10
+  * systemd: depend on networking-online.target
+  * .deb/.rpm: various fixes related to non-root
+  * contrib/systemd: AmbientCapabilities=CAP_NET_ADMIN
+  * contrib: remove rpm spec file
+  * debian/postinst: add checks, be verbose
+
+  [ Neels Janosch Hofmeyr ]
+  * Allow running without a GTP dev
+  * drop charts/, duplicated from libosmo-pfcp.git
+  * manual: add/fix running.adoc
+  * manual: add 'Configure Primary Links'
+  * vty doc: indicate default nft table name
+  * silence misleading error: "HEARTBEAT_REQ: Unknown message type"
+  * drop unused enum up_session_kind
+  * tests/upf.vty: add some missing nodes to the test
+  * VTY: rename 'gtp' to 'tunend'
+  * VTY: rename 'nft' to 'tunmap'
+  * osmo-pfcp-tool VTY: rename 'endecaps' to 'tunend'
+  * cosmetic: in code, rename 'endecaps' to 'tunend'
+  * cosmetic: rename upf_gtp_tun to upf_gtp_tunend
+  * drop unused upf_gtp_dev_is_tunnel_active()
+  * cosmetic: rename upf_gtp_dev_tunnel_* to upf_gtp_dev_tunend_*
+  * vty: revert rename of 'show gtp'
+  * VTY: show gtp: still list tunmap if no tunend device is open
+  * up_gtp_action_to_str_buf(): always print PDR IDs
+  * use osmo_pfcp_ie_outer_header_creation_to_str_buf()
+  * gtpu_echo: do not osmo_fd_register twice
+  * VTY 'show gtp': more accurately identify local/remote IP
+  * fix access/core mixup of PDR IDs / tunmap FAR
+  * clarify comments and naming around PDR+FAR classification
+  * tunmap: choose local GTP addr by Network Instance IEs
+  * log: add missing sep in far_to_str
+  * fix PFCP Session Mod: Update FAR
+  * in GTP actions, also store local GTP addrs
+  * nft: rename addr to addr_remote, add addr_local
+  * nft: incoming GTP-U: match on local IP, not remote IP
+  * nft: rewrite source IP in outgoing GTP-U
+  * nft: log nft rulesets on debug log
+  * nft: end each rule in semicolon
+  * nft: ensure to assign rule id only once
+  * GTP,UE addrs in osmo_sockaddr: assert( port == 0 )
+  * nft: allow to get the ruleset string without running
+  * vty: add: show nft-rule tunmap example
+  * add cfg: tunmap / nft-rule append
+  * nft: append 'accept' to each rule
+  * tunend: choose local GTP addr by Network Instance IEs
+  * manual: use 'tunend' and 'tunmap'
+  * manual: explain new netinst cfg
+  * manual: tweak 'running' for new netinst feature
+  * manual: add charts explaining tunend and tunmap
+  * manual: some tweaks in overview
+  * manual: fix broken reference to netinst section
+  * fix copy-paste bug in up_endpoint.c
+  * fix deprecation: use telnet_init_default()
+  * check rc of osmo_use_count_get_put()
+  * error log: fix msg for gtp_del_tunnel() failure
+  * fix various crashes on osmo_pfcp_endpoint_tx() err handling
+  * osmo-pfcp-tool: avoid stale pointers on msg copy
+  * fix some PFCP peer,session error handling paths
+  * drop unused function up_peer_tx
+  * move GTP port definitions to upf.h
+  * deprecate cfg 'nft rule tunmap append'
+  * tunmap: prep new nft ruleset: log only mapping id
+  * tunmap: refactor nft ruleset: fix "martians" and "1024"
+  * tunmap: ensure nft table is removed on program exit
+  * osmo_pfcp_tool: make usable again
+  * minor api doc
+  * cosmetic: simplify naming: struct upf_tunmap, struct upf_tunend
+  * cosmetic: reduce dup in tunnel struct definitions
+  * cosmetic: rename g_upf->gtp to tunend, ->nft to tunmap
+  * move next_teid from up_endpoint to g_upf
+  * cosmetic: rename next_seid to next_up_seid
+  * build: drop LIBOSMO_GTLV
+  * build: add libupf.la (noinst)
+  * add unique_ids_test.c
+  * tunmap: ensure assigned chain_id is unused
+  * cosmetic: clarify session active / partially active semantics
+  * unique_ids_test.c: fix coverity ASSERT_SIDE_EFFECT
+  * manual: fix typo in running.adoc
+  * manual: 'Running': flatten section depths a bit
+  * manual: 'Running': tweak, mention 'tunmap' and 'tunend'
+  * manual: 'Running': tweak word, fix ws at line end
+  * manual: explain GTP Echo workaround for tunmap
+  * manual: explain IP forwarding
+  * tunmap: always set GTP-U source port to 2152 when forwarding
+  * vty doc fix
+  * pfcp-tool: fix extra newline in vty_out
+  * fix msgb memleak on GTP echo response
+  * fix EXTRA_DIST for vty test scripts
+  * drop unreachable statement
+  * contrib/pfcp-tool-scripts: adjust tunend_session_est.vty and upf cfg to match up
+  * upf gtp-u echo: improve loging
+  * upf gtp-u echo: rx Echo Response messages
+  * pfcp-tool: always use specific PDR ids for access and core
+  * nft: batch nftables commands
+  * osmo-upf: add VTY 'gtp-echo' command
+
+  [ Max ]
+  * Set working directory in systemd service file
+  * ctrl: take both address and port from vty config
+  * .deb/.rpm: add osmocom user during package install
+
+  [ Vadim Yanitskiy ]
+  * update git URLs (git -> https; gitea)
+  * contrib/jenkins.sh: clone libnftnl and libnftables via git://
+  * copyright: fix typo: sysmocom s/s.m.f.c./s.f.m.c./ GmbH
+
+  [ arehbein ]
+  * osmo-pfcp-tool: Fix call to strerror
+  * up_session: Silence coverity warning
+
+  [ Andreas Eversberg ]
+  * Use uniform log format for default config files
+
+ -- Oliver Smith <osmith@sysmocom.de>  Wed, 11 Dec 2024 16:37:06 +0100
+
 osmo-upf (0.1.1) unstable; urgency=medium
 
   [ Vadim Yanitskiy ]

debian/compat

@@ -1 +1 @@
-9
+10

debian/control

@@ -2,7 +2,7 @@ Source: osmo-upf
 Section: net
 Priority: extra
 Maintainer: Osmocom team <openbsc@lists.osmocom.org>
-Build-Depends: debhelper (>=9),
+Build-Depends: debhelper (>= 10),
                dh-autoreconf,
                autotools-dev,
                autoconf,
@@ -12,10 +12,10 @@ Build-Depends: debhelper (>=9),
                pkg-config,
                python3-minimal,
                libtalloc-dev,
-               libgtpnl-dev (>= 1.2.0),
+               libgtpnl-dev (>= 1.3.0),
                libnftables-dev (>= 1.0.2),
-               libosmocore-dev (>= 1.6.0),
-               libosmo-pfcp-dev (>= 0.1.0),
+               libosmocore-dev (>= 1.10.0),
+               libosmo-pfcp-dev (>= 0.4.0),
                osmo-gsm-manuals-dev (>= 1.2.0)
 Standards-Version: 3.9.8
 Vcs-Git: https://gitea.osmocom.org/cellular-infrastructure/osmo-upf

debian/postinst

@@ -0,0 +1,38 @@
+#!/bin/sh -e
+case "$1" in
+	configure)
+		# Create the osmocom group and user (if it doesn't exist yet)
+		if ! getent group osmocom >/dev/null; then
+			groupadd --system osmocom
+		fi
+		if ! getent passwd osmocom >/dev/null; then
+			useradd \
+				--system \
+				--gid osmocom \
+				--home-dir /var/lib/osmocom \
+				--shell /sbin/nologin \
+				--comment "Open Source Mobile Communications" \
+				osmocom
+		fi
+
+		# Fix permissions of previous (root-owned) install (OS#4107)
+		if dpkg --compare-versions "$2" le "0.2.0"; then
+			if [ -e /etc/osmocom/osmo-upf.cfg ]; then
+				chown -v osmocom:osmocom /etc/osmocom/osmo-upf.cfg
+				chmod -v 0660 /etc/osmocom/osmo-upf.cfg
+			fi
+
+			if [ -d /etc/osmocom ]; then
+				chown -v root:osmocom /etc/osmocom
+				chmod -v 2775 /etc/osmocom
+			fi
+
+			mkdir -p /var/lib/osmocom
+			chown -R -v osmocom:osmocom /var/lib/osmocom
+		fi
+		;;
+esac
+
+# dh_installdeb(1) will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#

doc/examples/osmo-upf/osmo-upf-create-dev.cfg

@@ -1,11 +1,11 @@
 log stderr
  logging filter all 1
  logging color 1
- logging print level 1
- logging print category 1
  logging print category-hex 0
+ logging print category 1
+ logging timestamp 0
  logging print file basename last
- logging print extended-timestamp 1
+ logging print level 1
  logging level set-all notice
 
 timer pfcp x24 5000

doc/examples/osmo-upf/osmo-upf-mockup.cfg

@@ -1,11 +1,11 @@
 log stderr
  logging filter all 1
  logging color 1
- logging print level 1
- logging print category 1
  logging print category-hex 0
+ logging print category 1
+ logging timestamp 0
  logging print file basename last
- logging print extended-timestamp 1
+ logging print level 1
  logging level set-all notice
 
 timer pfcp x24 5000

doc/examples/osmo-upf/osmo-upf.cfg

@@ -1,11 +1,11 @@
 log stderr
  logging filter all 1
  logging color 1
- logging print level 1
- logging print category 1
  logging print category-hex 0
+ logging print category 1
+ logging timestamp 0
  logging print file basename last
- logging print extended-timestamp 1
+ logging print level 1
  logging level set-all notice
 
 timer pfcp x24 5000

doc/manuals/chapters/running.adoc

@@ -59,9 +59,7 @@ tunmap
  table-name osmo-upf-2
 ----
 
-=== Configuring Primary Links
-
-==== Configure PFCP Server
+=== Configure PFCP Server
 
 The following example configures OsmoUPF to listen for PFCP association requests
 from Control Plane Function entities on local interface 10.9.8.7, port 8805:
@@ -83,15 +81,15 @@ ID, and so far uses the 'local-addr' as local Node ID -- hence the 'local-addr'
 must not be "0.0.0.0", which is an unfortunate consequence. This is likely to
 improve in the future, see https://osmocom.org/issues/5682 .
 
-==== Configure Linux Kernel GTP Features
+=== Linux Kernel Features
 
 OsmoUPF uses two distinct Linux kernel features:
 
-* The GTP module is used for GTP encapsulation/decapsulation from/to
+* The GTP module is used for `tunend`: GTP encapsulation/decapsulation from/to
   "the internet".
 
-* The netfilter module is used for GTP tunnel proxying, also known as
-  tunnel forwarding or tunnel mapping.
+* The netfilter framework and nftables are used for `tunmap`: GTP tunnel proxying,
+  also known as tunnel forwarding or tunnel mapping.
 
 .Linux kernel feature usage
 [graphviz]
@@ -99,11 +97,15 @@ OsmoUPF uses two distinct Linux kernel features:
 include::upf_gtp_roles.dot[]
 ----
 
-GTP kernel module configuration can be omitted for sites that serve only as GTP
-forwarding proxy, without encapsulation/decapsulation of GTP payloads.
+GTP kernel module configuration in the `tunend` section can be omitted for sites
+that serve only as GTP forwarding proxy, without encapsulation/decapsulation of
+GTP payloads -- except to provide GTP Echo service, see <<gtp_echo>>.
+
+Netfilter configuration in the `tunmap` section can be omitted for sites only
+serving as GTP tunnel endpoint.
 
 [[gtp_module]]
-===== Configure Linux Kernel GTP Module for `tunend`
+=== Configure Linux Kernel GTP Module for `tunend`
 
 The Linux kernel GTP module is used for the `tunend` use case, i.e. GTP
 encapsulation/decapsulation from/to "the internet".
@@ -160,16 +162,62 @@ the `dev` config. In this case, all Network Instance names will be served by
 this GTP device. When using ANY, there should be exactly one GTP dev configured.
 
 [[nftables]]
-===== Configure Linux netfilter for `tunmap`
+=== Configure Linux netfilter for `tunmap`
 
 The Linux kernel netfilter module is used for GTP tunnel proxying, also known as
 tunnel forwarding or tunnel mapping.
 
-Using the netfilter module usually requires no configuration in `osmo-upf.cfg`.
+When using the netfilter module, you may set up `osmo-upf.cfg` for:
+- GTP Echo (required)
+- nft table name (optional)
 
-`osmo-upf` creates a new netfilter table, under which it submits rule sets for
-GTP tunnel proxying. This table name defaults to `osmo-upf`. A custom table name
-can be configured in `osmo-upf.cfg` like this:
+[[gtp_echo]]
+==== GTP Echo
+
+You need to ensure that OsmoUPF responds to GTP Echo requests.
+- A GTP device configured for `tunend` implicitly includes a GTP Echo service.
+- For `tunmap`, no GTP Echo mechanism is implemented.
+
+So, when your use case is `tunmap` only, you should still add a GTP device as
+for `tunend`, only to provide the GTP Echo service.
+
+Here are some options to do so:
+
+If you have no GTP devices configured in `osmo-upf.cfg` yet, you can add a
+single GTP device without a specific IP address, in order to respond to GTP-U
+Echo requests on all interfaces to anyone that is asking:
+
+----
+tunend
+ dev create gtp-echo
+----
+
+Note that `gtp-echo` is just an arbitrary GTP device name, choose any string
+that makes a valid network device name and is still available, as in the `dev`
+argument in the `ip addr show dev` command on Linux.
+
+This will bind osmo-upf on 0.0.0.0:2152 to respond to GTP Echo requests.
+
+If you would like to limit GTP Echo responses to specific network interfaces,
+you need to add a separate GTP device per local IP address:
+
+----
+tunend
+ dev create gtp-echo1 192.168.0.23
+ dev create gtp-echo2 10.9.8.17
+----
+
+This will bind osmo-upf only on 192.168.0.23:2152 and 10.9.8.17:2152 to respond
+to GTP Echo requests.
+
+For creating and manipulating a GTP device in more versatile ways, see
+<<gtp_module>>.
+
+==== nft Table Name
+
+For `tunmap`, `osmo-upf` creates a new nft table, under which it submits
+rule sets for GTP tunnel proxying. This table name defaults to `osmo-upf`. A
+custom table name can be configured in `osmo-upf.cfg` like this:
 
 ----
 tunmap
@@ -177,4 +225,45 @@ tunmap
 ----
 
 When running more than one osmo-upf process on a system, pick distinct table
-names to avoid name collisions in the nftables reulesets.
+names to avoid name collisions in the nftables rulesets.
+
+=== IP Forwarding
+
+In order to allow forwarding GTP payloads, the Linux operating system must
+be configured to allow IP forwarding.
+
+Note that there are many distribution-specific ways to configure this, and there
+might be higher-level firewall rule management software available like `ufw`.
+You should configure firewall rules matching your distribution and setup.
+
+To allow IP forwarding from and to all interfaces globally in a reboot-safe way,
+you may put a line like this in /etc/sysctl.conf:
+
+----
+net.ipv4.ip_forward=1
+----
+
+To do the same in an ad-hoc way that is not reboot safe but takes effect
+immediately:
+
+----
+sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
+----
+
+It is also possible to instruct the firewall to allow IP forwarding for specific
+network devices only. For example, on a Debian based system, place an nft
+ruleset like this in `/etc/nftables.conf`:
+
+----
+define gtp_netdevs = { eth0, eth23 };
+
+table inet filter {
+      chain forward {
+              type filter hook forward priority filter; policy drop;
+              iifname $gtp_netdevs oifname $gtp_netdevs udp dport 2152 accept
+      }
+}
+----
+
+This ruleset allows IP forwarding, but limited to the GTP-U port 2152,
+and to two specific network devices eth0 and eth23.

include/osmocom/upf/Makefile.am

@@ -7,5 +7,6 @@ noinst_HEADERS = \
 	upf_gtp.h \
 	upf_gtpu_echo.h \
 	upf_nft.h \
+	upf_tun.h \
 	up_gtp_action.h \
 	$(NULL)

include/osmocom/upf/up_endpoint.h

@@ -35,14 +35,14 @@ struct osmo_sockaddr;
 struct up_endpoint {
 	struct osmo_pfcp_endpoint *pfcp_ep;
 
+	/* list of struct up_peer. */
 	struct llist_head peers;
 
-	uint64_t next_seid_state;
-	uint32_t next_teid_state;
+	uint64_t next_up_seid_state;
 };
 
-struct up_endpoint *up_endpoint_init(void *ctx, const struct osmo_sockaddr *local_addr);
+struct up_endpoint *up_endpoint_alloc(void *ctx, const struct osmo_sockaddr *local_addr);
+int up_endpoint_bind(struct up_endpoint *up_ep);
 void up_endpoint_free(struct up_endpoint **ep);
 
-uint64_t up_endpoint_next_seid(struct up_endpoint *ep);
-uint32_t up_endpoint_next_teid(struct up_endpoint *ep);
+uint64_t up_endpoint_next_up_seid(struct up_endpoint *ep);

include/osmocom/upf/up_gtp_action.h

@@ -54,10 +54,10 @@ struct up_gtp_action {
 	enum up_gtp_action_kind kind;
 	union {
 		/* En-/De-capsulate GTP: add/remove a GTP header and forward the GTP payload from/to plain IP. */
-		struct upf_gtp_tunend_desc tunend;
+		struct upf_tunend tunend;
 
 		/* Tunnel-map GTP: translate from one TEID to another and forward */
-		struct upf_nft_tunmap_desc tunmap;
+		struct upf_tunmap tunmap;
 	};
 
 	/* volatile loop variable to match up wanted and actually present GTP actions */

include/osmocom/upf/up_peer.h

@@ -44,6 +44,7 @@ struct up_peer {
 	struct llist_head entry;
 
 	struct osmo_fsm_inst *fi;
+	/* backpointer */
 	struct up_endpoint *up_endpoint;
 
 	/* peer's remote address */

include/osmocom/upf/up_session.h

@@ -46,6 +46,7 @@ struct up_session {
 	struct hlist_node node_by_cp_seid;
 
 	struct osmo_fsm_inst *fi;
+	/* backpointer */
 	struct up_peer *up_peer;
 
 	struct osmo_pfcp_ie_f_seid cp_f_seid;
@@ -65,8 +66,7 @@ struct up_session {
 	struct llist_head active_gtp_actions;
 };
 
-struct up_session *up_session_find_or_add(struct up_peer *peer, const struct osmo_pfcp_ie_f_seid *cp_f_seid,
-					  const struct osmo_pfcp_ie_f_seid *up_f_seid);
+struct up_session *up_session_find_or_add(struct up_peer *peer, const struct osmo_pfcp_ie_f_seid *cp_f_seid);
 struct up_session *up_session_find_by_up_seid(struct up_peer *peer, uint64_t up_seid);
 struct up_session *up_session_find_by_cp_f_seid(struct up_peer *peer, const struct osmo_pfcp_ie_f_seid *cp_f_seid);
 struct up_session *up_session_find_by_local_teid(struct up_peer *peer, uint32_t teid);

include/osmocom/upf/upf.h

@@ -44,6 +44,7 @@ struct nft_ctx;
 #define PORT_GTP1_U 2152
 
 extern struct osmo_tdef_group g_upf_tdef_groups[];
+extern struct osmo_tdef g_upf_nft_tdefs[];
 
 struct pfcp_vty_cfg {
 	char *local_addr;
@@ -68,7 +69,7 @@ struct tunend_vty_cfg_dev {
 
 struct tunend_vty_cfg {
 	/* list of struct tunend_vty_cfg_dev, GTP devices as in the config file. The actual GTP devices in use are in
-	 * g_upf->gtp.devs. */
+	 * g_upf->tunend.devs. */
 	struct llist_head devs;
 };
 
@@ -101,7 +102,7 @@ struct g_upf {
 		int32_t genl_id;
 
 		uint8_t recovery_count;
-	} gtp;
+	} tunend;
 
 	/* Tunnel forwarding via linux netfilter */
 	struct {
@@ -113,7 +114,12 @@ struct g_upf {
 		int priority_pre;
 		int priority_post;
 		uint32_t next_chain_id_state;
-	} nft;
+	} tunmap;
+
+	struct {
+		uint32_t next_local_teid_state;
+		uint16_t next_echo_seq_nr;
+	} gtp;
 
 	struct llist_head netinst;
 };
@@ -130,7 +136,11 @@ enum upf_log_subsys {
 
 void g_upf_alloc(void *ctx);
 void upf_vty_init();
-int upf_pfcp_listen();
+int upf_pfcp_init(void);
+int upf_pfcp_listen(void);
 
 int upf_gtp_devs_open();
 void upf_gtp_devs_close();
+
+uint32_t upf_next_local_teid(void);
+uint32_t upf_next_chain_id(void);

include/osmocom/upf/upf_gtp.h

@@ -27,6 +27,8 @@
 #include <osmocom/core/select.h>
 #include <osmocom/core/logging.h>
 
+#include <osmocom/upf/upf_tun.h>
+
 #define LOG_GTP_DEV(DEV, LEVEL, FMT, ARGS...) \
 	LOGP(DGTP, LEVEL, "%s: " FMT, upf_gtp_dev_to_str_c(OTC_SELECT, (DEV)), ##ARGS)
 
@@ -57,19 +59,14 @@ struct upf_gtp_dev {
 
 /* Description of a GTP encapsulation / decapsulation.
  * The active state to operate the GTP kernel module accordingly is kept in struct upf_gtp_tunend. */
-struct upf_gtp_tunend_desc {
-	struct {
-		struct osmo_sockaddr gtp_local_addr;
-		uint32_t local_teid;
-		struct osmo_sockaddr gtp_remote_addr;
-		uint32_t remote_teid;
-	} access;
+struct upf_tunend {
+	struct upf_tun access;
 	struct {
 		struct osmo_sockaddr ue_local_addr;
 	} core;
 };
 
-int upf_gtp_tunend_desc_cmp(const struct upf_gtp_tunend_desc *a, const struct upf_gtp_tunend_desc *b);
+int upf_gtp_tunend_cmp(const struct upf_tunend *a, const struct upf_tunend *b);
 
 int upf_gtp_genl_ensure_open();
 void upf_gtp_genl_close();
@@ -80,8 +77,8 @@ struct upf_gtp_dev *upf_gtp_dev_find_by_name(const char *name);
 struct upf_gtp_dev *upf_gtp_dev_find_by_local_addr(const struct osmo_sockaddr *local_addr);
 struct upf_gtp_dev *upf_gtp_dev_first();
 
-int upf_gtp_dev_tunend_add(struct upf_gtp_dev *dev, const struct upf_gtp_tunend_desc *t);
-int upf_gtp_dev_tunend_del(struct upf_gtp_dev *dev, const struct upf_gtp_tunend_desc *t);
+int upf_gtp_dev_tunend_add(struct upf_gtp_dev *dev, const struct upf_tunend *t);
+int upf_gtp_dev_tunend_del(struct upf_gtp_dev *dev, const struct upf_tunend *t);
 
 int upf_gtp_dev_to_str_buf(char *buf, size_t buflen, const struct upf_gtp_dev *dev);
 char *upf_gtp_dev_to_str_c(void *ctx, const struct upf_gtp_dev *dev);

include/osmocom/upf/upf_gtpu_echo.h

@@ -2,3 +2,4 @@
 #pragma once
 
 int upf_gtpu_echo_setup(struct upf_gtp_dev *dev);
+int upf_gtpu_echo_req_tx(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, uint16_t seq_nr);

include/osmocom/upf/upf_nft.h

@@ -25,34 +25,27 @@
 
 #include <stdint.h>
 
-#include <osmocom/core/socket.h>
+#include <osmocom/upf/upf_tun.h>
 
-struct upf_nft_tunmap_desc {
-	struct {
-		struct osmo_sockaddr gtp_local_addr;
-		uint32_t local_teid;
-		struct osmo_sockaddr gtp_remote_addr;
-		uint32_t remote_teid;
-		uint32_t chain_id;
-	} access;
-	struct {
-		struct osmo_sockaddr gtp_local_addr;
-		uint32_t local_teid;
-		struct osmo_sockaddr gtp_remote_addr;
-		uint32_t remote_teid;
-		uint32_t chain_id;
-	} core;
+struct upf_nft_tun {
+	struct upf_tun tun;
+	uint32_t chain_id;
 };
 
-int upf_nft_tunmap_to_str_buf(char *buf, size_t buflen, const struct upf_nft_tunmap_desc *tunmap);
-char *upf_nft_tunmap_to_str_c(void *ctx, const struct upf_nft_tunmap_desc *tunmap);
+struct upf_tunmap {
+	struct upf_nft_tun access;
+	struct upf_nft_tun core;
+};
+
+int upf_nft_tunmap_to_str_buf(char *buf, size_t buflen, const struct upf_tunmap *tunmap);
+char *upf_nft_tunmap_to_str_c(void *ctx, const struct upf_tunmap *tunmap);
 
 int upf_nft_init();
 int upf_nft_free();
 
 char *upf_nft_tunmap_get_table_init_str(void *ctx);
 char *upf_nft_tunmap_get_vmap_init_str(void *ctx);
-char *upf_nft_tunmap_get_ruleset_str(void *ctx, struct upf_nft_tunmap_desc *tunmap);
-char *upf_nft_tunmap_get_ruleset_del_str(void *ctx, struct upf_nft_tunmap_desc *tunmap);
-int upf_nft_tunmap_create(struct upf_nft_tunmap_desc *tunmap);
-int upf_nft_tunmap_delete(struct upf_nft_tunmap_desc *tunmap);
+char *upf_nft_tunmap_get_ruleset_str(void *ctx, struct upf_tunmap *tunmap);
+char *upf_nft_tunmap_get_ruleset_del_str(void *ctx, struct upf_tunmap *tunmap);
+int upf_nft_tunmap_create(struct upf_tunmap *tunmap);
+int upf_nft_tunmap_delete(struct upf_tunmap *tunmap);

include/osmocom/upf/upf_tun.h

@@ -0,0 +1,38 @@
+/*
+ * (C) 2023 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ * All Rights Reserved.
+ *
+ * Author: Neels Janosch Hofmeyr <nhofmeyr@sysmocom.de>
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#pragma once
+
+#include <stdint.h>
+
+#include <osmocom/core/socket.h>
+
+struct upf_tun_ep {
+	struct osmo_sockaddr addr;
+	uint32_t teid;
+};
+
+struct upf_tun {
+	struct upf_tun_ep local;
+	struct upf_tun_ep remote;
+};

osmoappdesc.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# (C) 2021-2022 by sysmocom - s.m.f.c. GmbH <info@sysmocom.de>
+# (C) 2021-2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or

src/osmo-pfcp-tool/Makefile.am

@@ -10,7 +10,6 @@ AM_CFLAGS = \
 	$(LIBOSMOCORE_CFLAGS) \
 	$(LIBOSMOVTY_CFLAGS) \
 	$(LIBOSMOCTRL_CFLAGS) \
-	$(LIBOSMOGTLV_CFLAGS) \
 	$(LIBOSMOPFCP_CFLAGS) \
 	$(COVERAGE_CFLAGS) \
 	$(NULL)
@@ -19,7 +18,6 @@ AM_LDFLAGS = \
 	$(LIBOSMOCORE_LIBS) \
 	$(LIBOSMOVTY_LIBS) \
 	$(LIBOSMOCTRL_LIBS) \
-	$(LIBOSMOGTLV_LIBS) \
 	$(LIBOSMOPFCP_LIBS) \
 	$(COVERAGE_LDFLAGS) \
 	$(NULL)

src/osmo-pfcp-tool/pfcp_tool.h

@@ -61,14 +61,14 @@ struct pfcp_tool_gtp_tun {
 	struct pfcp_tool_gtp_tun_ep remote;
 };
 
-struct pfcp_tool_tunend_desc {
+struct pfcp_tool_tunend {
 	struct pfcp_tool_gtp_tun access;
 	struct {
 		struct osmo_sockaddr_str ue_local_addr;
 	} core;
 };
 
-struct pfcp_tool_tunmap_desc {
+struct pfcp_tool_tunmap {
 	struct pfcp_tool_gtp_tun access;
 	struct pfcp_tool_gtp_tun core;
 };
@@ -83,10 +83,10 @@ struct pfcp_tool_session {
 	enum up_gtp_action_kind kind;
 	union {
 		/* En-/De-capsulate GTP: add/remove a GTP header and forward the GTP payload from/to plain IP. */
-		struct pfcp_tool_tunend_desc tunend;
+		struct pfcp_tool_tunend tunend;
 
 		/* Tunnel-map GTP: translate from one TEID to another and forward */
-		struct pfcp_tool_tunmap_desc tunmap;
+		struct pfcp_tool_tunmap tunmap;
 	};
 };
 

src/osmo-pfcp-tool/pfcp_tool_vty.c

@@ -97,9 +97,9 @@ DEFUN(c_listen, c_listen_cmd,
 
 	rc = osmo_pfcp_endpoint_bind(g_pfcp_tool->ep);
 	if (rc) {
-		vty_out(vty, "Failed to bind PFCP endpoint on %s: %s%s\n",
+		vty_out(vty, "Failed to bind PFCP endpoint on %s: %s%s",
 			osmo_sockaddr_to_str_c(OTC_SELECT, osmo_pfcp_endpoint_get_local_addr(g_pfcp_tool->ep)),
-			strerror(rc), VTY_NEWLINE);
+			strerror(-rc), VTY_NEWLINE);
 		return CMD_WARNING;
 	}
 	return CMD_SUCCESS;
@@ -108,7 +108,7 @@ DEFUN(c_listen, c_listen_cmd,
 DEFUN(c_sleep, c_sleep_cmd,
 	"sleep <0-999999> [<0-999>]",
 	"Let some time pass\n"
-	"Seconds to wait\n")
+	"Seconds to wait\n" "Additional milliseconds to wait\n")
 {
 	int secs = atoi(argv[0]);
 	int msecs = 0;
@@ -397,6 +397,11 @@ DEFUN(s_f_teid_choose, s_f_teid_choose_cmd,
 	return CMD_SUCCESS;
 }
 
+enum pdr_id_fixed {
+	PDR_ID_CORE = 1,
+	PDR_ID_ACCESS = 2,
+};
+
 int session_tunend_tx_est_req(struct vty *vty, const char **argv, int argc)
 {
 	struct pfcp_tool_session *session = vty->index;
@@ -475,7 +480,7 @@ int session_tunend_tx_est_req(struct vty *vty, const char **argv, int argc)
 		.create_pdr_count = 2,
 		.create_pdr = {
 			{
-				.pdr_id = 1,
+				.pdr_id = PDR_ID_CORE,
 				.precedence = 255,
 				.pdi = {
 					.source_iface = OSMO_PFCP_SOURCE_IFACE_CORE,
@@ -492,7 +497,7 @@ int session_tunend_tx_est_req(struct vty *vty, const char **argv, int argc)
 				.far_id = 1,
 			},
 			{
-				.pdr_id = 2,
+				.pdr_id = PDR_ID_ACCESS,
 				.precedence = 255,
 				.pdi = {
 					.source_iface = OSMO_PFCP_SOURCE_IFACE_ACCESS,
@@ -635,7 +640,7 @@ int session_tunmap_tx_est_req(struct vty *vty, const char **argv, int argc)
 		.create_pdr_count = 2,
 		.create_pdr = {
 			{
-				.pdr_id = 1,
+				.pdr_id = PDR_ID_CORE,
 				.precedence = 255,
 				.pdi = {
 					.source_iface = OSMO_PFCP_SOURCE_IFACE_CORE,
@@ -650,7 +655,7 @@ int session_tunmap_tx_est_req(struct vty *vty, const char **argv, int argc)
 				.far_id = 1,
 			},
 			{
-				.pdr_id = 2,
+				.pdr_id = PDR_ID_ACCESS,
 				.precedence = 255,
 				.pdi = {
 					.source_iface = OSMO_PFCP_SOURCE_IFACE_ACCESS,

src/osmo-upf/Makefile.am

@@ -10,7 +10,6 @@ AM_CFLAGS = \
 	$(LIBOSMOCORE_CFLAGS) \
 	$(LIBOSMOVTY_CFLAGS) \
 	$(LIBOSMOCTRL_CFLAGS) \
-	$(LIBOSMOGTLV_CFLAGS) \
 	$(LIBOSMOPFCP_CFLAGS) \
 	$(LIBGTPNL_CFLAGS) \
 	$(LIBNFTNL_CFLAGS) \
@@ -19,19 +18,15 @@ AM_CFLAGS = \
 	$(NULL)
 
 AM_LDFLAGS = \
-	$(LIBGTPNL_LDFLAGS) \
-	$(LIBNFTNL_LDFLAGS) \
-	$(LIBNFTABLES_LDFLAGS) \
 	$(COVERAGE_LDFLAGS) \
 	$(NULL)
 
-bin_PROGRAMS = \
-	osmo-upf \
+noinst_LTLIBRARIES = \
+	libupf.la \
 	$(NULL)
 
-osmo_upf_SOURCES = \
+libupf_la_SOURCES = \
 	netinst.c \
-	osmo_upf_main.c \
 	up_endpoint.c \
 	up_gtp_action.c \
 	up_peer.c \
@@ -43,14 +38,24 @@ osmo_upf_SOURCES = \
 	upf_vty.c \
 	$(NULL)
 
-osmo_upf_LDADD = \
+libupf_la_LIBADD = \
 	$(LIBOSMOCORE_LIBS) \
 	$(LIBOSMOVTY_LIBS) \
 	$(LIBOSMOCTRL_LIBS) \
-	$(LIBOSMOGTLV_LIBS) \
 	$(LIBOSMOPFCP_LIBS) \
 	$(LIBGTPNL_LIBS) \
 	$(LIBNFTNL_LIBS) \
 	$(LIBNFTABLES_LIBS) \
-	$(COVERAGE_LDFLAGS) \
+	$(NULL)
+
+bin_PROGRAMS = \
+	osmo-upf \
+	$(NULL)
+
+osmo_upf_SOURCES = \
+	osmo_upf_main.c \
+	$(NULL)
+
+osmo_upf_LDADD = \
+	libupf.la \
 	$(NULL)

src/osmo-upf/up_endpoint.c

@@ -233,9 +233,8 @@ static void up_endpoint_rx_cb(struct osmo_pfcp_endpoint *ep, struct osmo_pfcp_ms
 	}
 }
 
-struct up_endpoint *up_endpoint_init(void *ctx, const struct osmo_sockaddr *local_addr)
+struct up_endpoint *up_endpoint_alloc(void *ctx, const struct osmo_sockaddr *local_addr)
 {
-	int rc;
 	struct osmo_pfcp_endpoint_cfg cfg;
 	struct up_endpoint *up_ep;
 	up_ep = talloc_zero(ctx, struct up_endpoint);
@@ -252,14 +251,16 @@ struct up_endpoint *up_endpoint_init(void *ctx, const struct osmo_sockaddr *loca
 	up_ep->pfcp_ep = osmo_pfcp_endpoint_create(up_ep, &cfg);
 	OSMO_ASSERT(up_ep->pfcp_ep);
 
-	rc = osmo_pfcp_endpoint_bind(up_ep->pfcp_ep);
-	if (rc) {
-		talloc_free(up_ep);
-		return NULL;
-	}
 	return up_ep;
 }
 
+int up_endpoint_bind(struct up_endpoint *up_ep)
+{
+	OSMO_ASSERT(up_ep);
+	OSMO_ASSERT(up_ep->pfcp_ep);
+	return osmo_pfcp_endpoint_bind(up_ep->pfcp_ep);
+}
+
 static struct up_session *up_endpoint_find_session(struct up_endpoint *ep, uint64_t up_seid)
 {
 		struct up_peer *peer;
@@ -271,22 +272,11 @@ static struct up_session *up_endpoint_find_session(struct up_endpoint *ep, uint6
 		return NULL;
 }
 
-static struct up_session *up_endpoint_find_session_by_local_teid(struct up_endpoint *ep, uint32_t teid)
-{
-		struct up_peer *peer;
-		llist_for_each_entry(peer, &ep->peers, entry) {
-			struct up_session *session = up_session_find_by_local_teid(peer, teid);
-			if (session)
-				return session;
-		}
-		return NULL;
-}
-
-uint64_t up_endpoint_next_seid(struct up_endpoint *ep)
+uint64_t up_endpoint_next_up_seid(struct up_endpoint *ep)
 {
 	uint64_t sanity;
 	for (sanity = 2342; sanity; sanity--) {
-		uint64_t next_seid = osmo_pfcp_next_seid(&ep->next_seid_state);
+		uint64_t next_seid = osmo_pfcp_next_seid(&ep->next_up_seid_state);
 		if (up_endpoint_find_session(ep, next_seid))
 			continue;
 		return next_seid;
@@ -294,26 +284,6 @@ uint64_t up_endpoint_next_seid(struct up_endpoint *ep)
 	return 0;
 }
 
-static uint32_t up_endpoint_inc_teid(struct up_endpoint *ep)
-{
-	ep->next_teid_state++;
-	if (!ep->next_teid_state)
-		ep->next_teid_state++;
-	return ep->next_teid_state;
-}
-
-uint32_t up_endpoint_next_teid(struct up_endpoint *ep)
-{
-	uint32_t sanity;
-	for (sanity = 2342; sanity; sanity--) {
-		uint32_t next_teid = up_endpoint_inc_teid(ep);
-		if (up_endpoint_find_session_by_local_teid(ep, next_teid))
-			continue;
-		return next_teid;
-	}
-	return 0;
-}
-
 void up_endpoint_free(struct up_endpoint **_ep)
 {
 	struct up_peer *peer;

src/osmo-upf/up_gtp_action.c

@@ -48,11 +48,11 @@ int up_gtp_action_cmp(const struct up_gtp_action *a, const struct up_gtp_action
 
 	switch (a->kind) {
 	case UP_GTP_U_TUNEND:
-		if ((cmp = CMP_MEMB(tunend.access.local_teid)))
+		if ((cmp = CMP_MEMB(tunend.access.local.teid)))
 			return cmp;
-		if ((cmp = CMP_MEMB(tunend.access.remote_teid)))
+		if ((cmp = CMP_MEMB(tunend.access.remote.teid)))
 			return cmp;
-		cmp = osmo_sockaddr_cmp(&a->tunend.access.gtp_remote_addr, &b->tunend.access.gtp_remote_addr);
+		cmp = osmo_sockaddr_cmp(&a->tunend.access.remote.addr, &b->tunend.access.remote.addr);
 		if (cmp)
 			return cmp;
 		cmp = osmo_sockaddr_cmp(&a->tunend.core.ue_local_addr, &b->tunend.core.ue_local_addr);
@@ -61,13 +61,13 @@ int up_gtp_action_cmp(const struct up_gtp_action *a, const struct up_gtp_action
 		break;
 
 	case UP_GTP_U_TUNMAP:
-		if ((cmp = CMP_MEMB(tunmap.access.local_teid)))
+		if ((cmp = CMP_MEMB(tunmap.access.tun.local.teid)))
 			return cmp;
-		if ((cmp = CMP_MEMB(tunmap.access.remote_teid)))
+		if ((cmp = CMP_MEMB(tunmap.access.tun.remote.teid)))
 			return cmp;
-		if ((cmp = CMP_MEMB(tunmap.core.local_teid)))
+		if ((cmp = CMP_MEMB(tunmap.core.tun.local.teid)))
 			return cmp;
-		if ((cmp = CMP_MEMB(tunmap.core.remote_teid)))
+		if ((cmp = CMP_MEMB(tunmap.core.tun.remote.teid)))
 			return cmp;
 		break;
 	default:
@@ -84,14 +84,14 @@ static int up_gtp_action_enable_disable(struct up_gtp_action *a, bool enable)
 
 	switch (a->kind) {
 	case UP_GTP_U_TUNEND:
-		if (g_upf->gtp.mockup) {
+		if (g_upf->tunend.mockup) {
 			LOG_UP_GTP_ACTION(a, LOGL_NOTICE, "tunend/mockup active, skipping GTP action %s\n",
 					  enable ? "enable" : "disable");
 			return 0;
 		}
 
 		/* Pick GTP device matching the local F-TEID set up for the GTP tunnel (it is on the Access side) */
-		gtp_addr = &a->tunend.access.gtp_local_addr;
+		gtp_addr = &a->tunend.access.local.addr;
 		gtp_dev = upf_gtp_dev_find_by_local_addr(gtp_addr);
 		if (!gtp_dev) {
 			LOG_UP_GTP_ACTION(a, LOGL_ERROR, "No GTP device open for local address %s, cannot %s"
@@ -116,7 +116,7 @@ static int up_gtp_action_enable_disable(struct up_gtp_action *a, bool enable)
 		return 0;
 
 	case UP_GTP_U_TUNMAP:
-		if (g_upf->nft.mockup) {
+		if (g_upf->tunmap.mockup) {
 			LOG_UP_GTP_ACTION(a, LOGL_NOTICE, "tunmap/mockup active, skipping nftables ruleset %s\n",
 					  enable ? "enable" : "disable");
 			return 0;
@@ -158,26 +158,26 @@ int up_gtp_action_to_str_buf(char *buf, size_t buflen, const struct up_gtp_actio
 	switch (a->kind) {
 	case UP_GTP_U_TUNEND:
 		OSMO_STRBUF_PRINTF(sb, "GTP:tunend GTP-access-r:");
-		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunend.access.gtp_remote_addr);
-		OSMO_STRBUF_PRINTF(sb, " TEID-access-r:0x%"PRIx32, a->tunend.access.remote_teid);
+		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunend.access.remote.addr);
+		OSMO_STRBUF_PRINTF(sb, " TEID-access-r:0x%"PRIx32, a->tunend.access.remote.teid);
 		OSMO_STRBUF_PRINTF(sb, " GTP-access-l:");
-		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunend.access.gtp_local_addr);
-		OSMO_STRBUF_PRINTF(sb, " TEID-access-l:0x%"PRIx32" IP-core-l:", a->tunend.access.local_teid);
+		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunend.access.local.addr);
+		OSMO_STRBUF_PRINTF(sb, " TEID-access-l:0x%"PRIx32" IP-core-l:", a->tunend.access.local.teid);
 		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunend.core.ue_local_addr);
 		break;
 	case UP_GTP_U_TUNMAP:
 		OSMO_STRBUF_PRINTF(sb, "GTP:tunmap GTP-access-r:");
-		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.access.gtp_remote_addr);
-		OSMO_STRBUF_PRINTF(sb, " TEID-access-r:0x%"PRIx32, a->tunmap.access.remote_teid);
+		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.access.tun.remote.addr);
+		OSMO_STRBUF_PRINTF(sb, " TEID-access-r:0x%"PRIx32, a->tunmap.access.tun.remote.teid);
 		OSMO_STRBUF_PRINTF(sb, " GTP-access-l:");
-		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.access.gtp_local_addr);
-		OSMO_STRBUF_PRINTF(sb, " TEID-access-l:0x%"PRIx32, a->tunmap.access.local_teid);
+		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.access.tun.local.addr);
+		OSMO_STRBUF_PRINTF(sb, " TEID-access-l:0x%"PRIx32, a->tunmap.access.tun.local.teid);
 		OSMO_STRBUF_PRINTF(sb, " GTP-core-r:");
-		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.core.gtp_remote_addr);
-		OSMO_STRBUF_PRINTF(sb, " TEID-core-r:0x%"PRIx32, a->tunmap.core.remote_teid);
+		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.core.tun.remote.addr);
+		OSMO_STRBUF_PRINTF(sb, " TEID-core-r:0x%"PRIx32, a->tunmap.core.tun.remote.teid);
 		OSMO_STRBUF_PRINTF(sb, " GTP-core-l:");
-		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.core.gtp_local_addr);
-		OSMO_STRBUF_PRINTF(sb, " TEID-core-l:0x%"PRIx32, a->tunmap.core.local_teid);
+		OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &a->tunmap.core.tun.local.addr);
+		OSMO_STRBUF_PRINTF(sb, " TEID-core-l:0x%"PRIx32, a->tunmap.core.tun.local.teid);
 		break;
 	case UP_GTP_DROP:
 		OSMO_STRBUF_PRINTF(sb, "GTP:drop");

src/osmo-upf/up_peer.c

@@ -299,7 +299,7 @@ static void up_peer_rx_session_est_req(struct up_peer *peer, struct osmo_pfcp_ms
 {
 	enum osmo_pfcp_cause cause = OSMO_PFCP_CAUSE_REQUEST_ACCEPTED;
 	struct osmo_pfcp_msg *resp;
-	struct up_session *session = up_session_find_or_add(peer, &m->ies.session_est_req.cp_f_seid, NULL);
+	struct up_session *session = up_session_find_or_add(peer, &m->ies.session_est_req.cp_f_seid);
 
 	if (!session) {
 		cause = OSMO_PFCP_CAUSE_NO_RESOURCES_AVAILABLE;

src/osmo-upf/up_session.c

@@ -185,7 +185,6 @@ static enum osmo_pfcp_cause up_session_choose_f_teid(struct up_session *session,
 						     bool choose_id_present, uint8_t choose_id,
 						     const char *netinst_name)
 {
-	struct up_endpoint *up_ep = session->up_peer->up_endpoint;
 	struct chosen_f_teid *chosen = NULL;
 
 	if (choose_id_present)
@@ -206,7 +205,7 @@ static enum osmo_pfcp_cause up_session_choose_f_teid(struct up_session *session,
 			return rc;
 
 		/* Choose a new TEID */
-		dst->fixed.teid = up_endpoint_next_teid(up_ep);
+		dst->fixed.teid = upf_next_local_teid();
 		if (dst->fixed.teid == 0) {
 			LOGPFSML(session->fi, LOGL_ERROR, "Failed to allocate an unused TEID\n");
 			return OSMO_PFCP_CAUSE_PFCP_ENTITY_IN_CONGESTION;
@@ -557,8 +556,7 @@ static struct pdr *pdr_upd(struct pdr *pdr,
 	return pdr;
 
 nack_resp:
-	if (pdr)
-		pdr_del(pdr);
+	pdr_del(pdr);
 	if (!*offending_ie_present) {
 		*offending_ie = OSMO_PFCP_IEI_UPD_PDR;
 		*offending_ie_present = true;
@@ -987,7 +985,7 @@ static inline uint64_t up_session_key(uint64_t cp_seid, uint64_t up_seid)
 static struct up_session *up_session_add(struct up_peer *peer, const struct osmo_pfcp_ie_f_seid *cp_f_seid)
 {
 	struct up_session *session;
-	uint64_t up_seid = up_endpoint_next_seid(peer->up_endpoint);
+	uint64_t up_seid = up_endpoint_next_up_seid(peer->up_endpoint);
 
 	if (!up_seid)
 		return NULL;
@@ -1022,16 +1020,11 @@ static struct up_session *up_session_add(struct up_peer *peer, const struct osmo
 	return session;
 }
 
-struct up_session *up_session_find_or_add(struct up_peer *peer, const struct osmo_pfcp_ie_f_seid *cp_f_seid,
-					  const struct osmo_pfcp_ie_f_seid *up_f_seid)
+struct up_session *up_session_find_or_add(struct up_peer *peer, const struct osmo_pfcp_ie_f_seid *cp_f_seid)
 {
 	struct up_session *session;
-	if (cp_f_seid)
-		session = up_session_find_by_cp_f_seid(peer, cp_f_seid);
-	else if (up_f_seid)
-		session = up_session_find_by_up_seid(peer, up_f_seid->seid);
-	else
-		return NULL;
+	OSMO_ASSERT(cp_f_seid);
+	session = up_session_find_by_cp_f_seid(peer, cp_f_seid);
 	if (session)
 		return session;
 
@@ -1227,10 +1220,14 @@ static void add_gtp_action_tunend(void *ctx, struct llist_head *dst, struct pdr
 		.kind = UP_GTP_U_TUNEND,
 		.tunend = {
 			.access = {
-				.gtp_local_addr = pdr->local_f_teid->fixed.ip_addr.v4,
-				.local_teid = pdr->local_f_teid->fixed.teid,
-				.gtp_remote_addr = rfar_forw->outer_header_creation.ip_addr.v4,
-				.remote_teid = rfar_forw->outer_header_creation.teid,
+				.local = {
+					.addr = pdr->local_f_teid->fixed.ip_addr.v4,
+					.teid = pdr->local_f_teid->fixed.teid,
+				},
+				.remote = {
+					.addr = rfar_forw->outer_header_creation.ip_addr.v4,
+					.teid = rfar_forw->outer_header_creation.teid,
+				},
 			},
 			.core = {
 				.ue_local_addr = rpdr->desc.pdi.ue_ip_address.ip_addr.v4,
@@ -1336,17 +1333,25 @@ static void add_gtp_action_tunmap(void *ctx, struct llist_head *dst, struct pdr
 		.pdr_core = rpdr->desc.pdr_id,
 		.kind = UP_GTP_U_TUNMAP,
 		.tunmap = {
-			.access = {
-				.gtp_local_addr = pdr->local_f_teid->fixed.ip_addr.v4,
-				.local_teid = pdr->local_f_teid->fixed.teid,
-				.gtp_remote_addr = rfar_forw->outer_header_creation.ip_addr.v4,
-				.remote_teid = rfar_forw->outer_header_creation.teid,
+			.access.tun = {
+				.local = {
+					.addr = pdr->local_f_teid->fixed.ip_addr.v4,
+					.teid = pdr->local_f_teid->fixed.teid,
+				},
+				.remote = {
+					.addr = rfar_forw->outer_header_creation.ip_addr.v4,
+					.teid = rfar_forw->outer_header_creation.teid,
+				},
 			},
-			.core = {
-				.gtp_local_addr = rpdr->local_f_teid->fixed.ip_addr.v4,
-				.local_teid = rpdr->local_f_teid->fixed.teid,
-				.gtp_remote_addr = far_forw->outer_header_creation.ip_addr.v4,
-				.remote_teid = far_forw->outer_header_creation.teid,
+			.core.tun = {
+				.local =  {
+					.addr = rpdr->local_f_teid->fixed.ip_addr.v4,
+					.teid = rpdr->local_f_teid->fixed.teid,
+				},
+				.remote = {
+					.addr = far_forw->outer_header_creation.ip_addr.v4,
+					.teid = far_forw->outer_header_creation.teid,
+				},
 			},
 		},
 	};
@@ -1523,11 +1528,16 @@ static enum osmo_pfcp_cause up_session_setup_gtp(struct up_session *session)
 	return cause;
 }
 
+/* Return true when the session is in Established state and has active GTP actions. */
 bool up_session_is_active(struct up_session *session)
 {
 	return session && (session->fi->state == UP_SESSION_ST_ESTABLISHED) && !llist_empty(&session->active_gtp_actions);
 }
 
+/* Return true when up_session_is_active() == true *and* it has only active PDR/FAR pairs.
+ * A PDR/FAR is inactive when it is not part of an active GTP action. Reasons may be that it has no PDR-to-FAR relation,
+ * there is no matching reverse PDR/FAR, that a FAR is not set to FORW, an ignored Source/Destination Interface, ...
+ */
 bool up_session_is_fully_active(struct up_session *session, int *active_p, int *inactive_p)
 {
 	struct pdr *pdr;

src/osmo-upf/upf.c

@@ -29,12 +29,27 @@
 
 #include <osmocom/upf/upf.h>
 #include <osmocom/upf/up_endpoint.h>
+#include <osmocom/upf/up_peer.h>
+#include <osmocom/upf/up_session.h>
+#include <osmocom/upf/up_gtp_action.h>
 #include <osmocom/upf/upf_gtp.h>
 
 struct g_upf *g_upf = NULL;
 
+struct osmo_tdef g_upf_nft_tdefs[] = {
+	{ .T = -32, .default_val = 1000, .unit = OSMO_TDEF_MS,
+	  .desc = "How long to wait for more nft rulesets before flushing in batch",
+	},
+	{ .T = -33, .default_val = 1, .unit = OSMO_TDEF_CUSTOM,
+	  .desc = "When reaching this nr of queued nft rulesets, flush the queue",
+	  .max_val = 128,
+	},
+	{}
+};
+
 struct osmo_tdef_group g_upf_tdef_groups[] = {
 	{ "pfcp", "PFCP endpoint timers", osmo_pfcp_tdefs, },
+	{ "nft", "netfilter timers", g_upf_nft_tdefs, },
 	{}
 };
 
@@ -50,22 +65,22 @@ void g_upf_alloc(void *ctx)
 				.local_port = OSMO_PFCP_PORT,
 			},
 		},
-		.nft = {
+		.tunmap = {
 			.priority_pre = -300,
 			.priority_post = 400,
 		},
-		.gtp = {
+		.tunend = {
 			/* TODO: recovery count state file; use lower byte of current time, poor person's random. */
 			.recovery_count = time(NULL),
 		},
 	};
 
-	INIT_LLIST_HEAD(&g_upf->gtp.vty_cfg.devs);
-	INIT_LLIST_HEAD(&g_upf->gtp.devs);
+	INIT_LLIST_HEAD(&g_upf->tunend.vty_cfg.devs);
+	INIT_LLIST_HEAD(&g_upf->tunend.devs);
 	INIT_LLIST_HEAD(&g_upf->netinst);
 }
 
-int upf_pfcp_listen()
+int upf_pfcp_init(void)
 {
 	struct osmo_sockaddr_str local_addr_str;
 	struct osmo_sockaddr local_addr;
@@ -77,9 +92,8 @@ int upf_pfcp_listen()
 	 * osmo_sockaddr. */
 	osmo_sockaddr_str_from_str(&local_addr_str, g_upf->pfcp.vty_cfg.local_addr, g_upf->pfcp.vty_cfg.local_port);
 	osmo_sockaddr_str_to_sockaddr(&local_addr_str, &local_addr.u.sas);
-	LOGP(DLPFCP, LOGL_NOTICE, "PFCP: Listening on %s\n", osmo_sockaddr_to_str_c(OTC_SELECT, &local_addr));
 
-	g_upf->pfcp.ep = up_endpoint_init(g_upf, &local_addr);
+	g_upf->pfcp.ep = up_endpoint_alloc(g_upf, &local_addr);
 	if (!g_upf->pfcp.ep) {
 		fprintf(stderr, "Failed to allocate PFCP endpoint.\n");
 		return -1;
@@ -87,9 +101,29 @@ int upf_pfcp_listen()
 	return 0;
 }
 
+int upf_pfcp_listen(void)
+{
+	int rc;
+	if (!g_upf->pfcp.ep) {
+		rc = upf_pfcp_init();
+		if (rc)
+			return rc;
+	}
+
+	rc = up_endpoint_bind(g_upf->pfcp.ep);
+	if (rc) {
+		LOGP(DLPFCP, LOGL_ERROR, "PFCP: failed to listen on %s\n",
+		     osmo_sockaddr_to_str_c(OTC_SELECT, osmo_pfcp_endpoint_get_local_addr(g_upf->pfcp.ep->pfcp_ep)));
+		return rc;
+	}
+	LOGP(DLPFCP, LOGL_NOTICE, "PFCP: Listening on %s\n",
+	     osmo_sockaddr_to_str_c(OTC_SELECT, osmo_pfcp_endpoint_get_local_addr(g_upf->pfcp.ep->pfcp_ep)));
+	return 0;
+}
+
 int upf_gtp_devs_open()
 {
-	struct tunend_vty_cfg *c = &g_upf->gtp.vty_cfg;
+	struct tunend_vty_cfg *c = &g_upf->tunend.vty_cfg;
 	struct tunend_vty_cfg_dev *d;
 
 	llist_for_each_entry(d, &c->devs, entry) {
@@ -98,3 +132,85 @@ int upf_gtp_devs_open()
 	}
 	return 0;
 }
+
+static bool upf_is_local_teid_in_use(uint32_t teid)
+{
+	struct up_peer *peer;
+	llist_for_each_entry(peer, &g_upf->pfcp.ep->peers, entry) {
+		struct up_session *session = up_session_find_by_local_teid(peer, teid);
+		if (session)
+			return true;
+	}
+	return false;
+}
+
+static uint32_t upf_next_local_teid_inc(void)
+{
+	g_upf->gtp.next_local_teid_state++;
+	if (!g_upf->gtp.next_local_teid_state)
+		g_upf->gtp.next_local_teid_state++;
+	return g_upf->gtp.next_local_teid_state;
+}
+
+uint32_t upf_next_local_teid(void)
+{
+	uint32_t sanity;
+	for (sanity = 2342; sanity; sanity--) {
+		uint32_t next_teid = upf_next_local_teid_inc();
+		if (upf_is_local_teid_in_use(next_teid))
+			continue;
+		return next_teid;
+	}
+	return 0;
+}
+
+static uint32_t upf_next_chain_id_inc(void)
+{
+	g_upf->tunmap.next_chain_id_state++;
+	if (!g_upf->tunmap.next_chain_id_state)
+		g_upf->tunmap.next_chain_id_state++;
+	return g_upf->tunmap.next_chain_id_state;
+}
+
+/* Return an unused chain_id, or 0 if none is found with sane effort. */
+uint32_t upf_next_chain_id(void)
+{
+	uint32_t sanity;
+
+	/* Make sure the new chain_id is not used anywhere */
+	for (sanity = 2342; sanity; sanity--) {
+		struct up_peer *peer;
+		uint32_t chain_id = upf_next_chain_id_inc();
+		bool taken = false;
+
+		if (!g_upf->pfcp.ep)
+			return chain_id;
+
+		llist_for_each_entry(peer, &g_upf->pfcp.ep->peers, entry) {
+			struct up_session *session;
+			int bkt;
+			hash_for_each(peer->sessions_by_up_seid, bkt, session, node_by_up_seid) {
+				struct up_gtp_action *a;
+				llist_for_each_entry(a, &session->active_gtp_actions, entry) {
+					if (a->kind != UP_GTP_U_TUNMAP)
+						continue;
+					if (a->tunmap.access.chain_id == chain_id
+					    || a->tunmap.core.chain_id == chain_id) {
+						taken = true;
+						break;
+					}
+				}
+				if (taken)
+					break;
+			}
+			if (taken)
+				break;
+		}
+
+		if (!taken)
+			return chain_id;
+	}
+
+	/* finding a chain_id became insane, return invalid = 0 */
+	return 0;
+}

src/osmo-upf/upf_gtp.c

@@ -66,7 +66,7 @@ char *upf_gtp_dev_to_str_c(void *ctx, const struct upf_gtp_dev *dev)
 struct upf_gtp_dev *upf_gtp_dev_find_by_name(const char *name)
 {
 	struct upf_gtp_dev *dev;
-	llist_for_each_entry(dev, &g_upf->gtp.devs, entry) {
+	llist_for_each_entry(dev, &g_upf->tunend.devs, entry) {
 		if (!strcmp(name, dev->name))
 			return dev;
 	}
@@ -79,7 +79,7 @@ struct upf_gtp_dev *upf_gtp_dev_find_by_local_addr(const struct osmo_sockaddr *l
 	struct upf_gtp_dev *dev_any = NULL;
 	struct osmo_sockaddr needle = *local_addr;
 
-	llist_for_each_entry(dev, &g_upf->gtp.devs, entry) {
+	llist_for_each_entry(dev, &g_upf->tunend.devs, entry) {
 		/* To leave the port number out of the cmp, set the needle's port to match */
 		osmo_sockaddr_set_port(&needle.u.sa, osmo_sockaddr_port(&dev->gtpv1.local_addr.u.sa));
 
@@ -95,7 +95,7 @@ struct upf_gtp_dev *upf_gtp_dev_find_by_local_addr(const struct osmo_sockaddr *l
 
 struct upf_gtp_dev *upf_gtp_dev_first()
 {
-	return llist_first_entry_or_null(&g_upf->gtp.devs, struct upf_gtp_dev, entry);
+	return llist_first_entry_or_null(&g_upf->tunend.devs, struct upf_gtp_dev, entry);
 }
 
 /* Tell the kernel to remove the GTP device. Called implicitly by talloc_free() (see upf_gtp_dev_destruct()). */
@@ -116,7 +116,7 @@ static int upf_gtp_dev_delete(struct upf_gtp_dev *dev)
 
 static int upf_gtp_dev_destruct(struct upf_gtp_dev *dev);
 
-/* Allocate state for one GTP device, add to g_upf->gtp.devs and return the created device. If state for the device of
+/* Allocate state for one GTP device, add to g_upf->tunend.devs and return the created device. If state for the device of
  * that name already exists, do nothing and return NULL. */
 static struct upf_gtp_dev *upf_gtp_dev_alloc(const char *name, const char *local_addr)
 {
@@ -144,7 +144,7 @@ static struct upf_gtp_dev *upf_gtp_dev_alloc(const char *name, const char *local
 
 	/* Need to add to list before setting up the destructor. A talloc_free() does automagically remove from the
 	 * list. */
-	llist_add(&dev->entry, &g_upf->gtp.devs);
+	llist_add(&dev->entry, &g_upf->tunend.devs);
 
 	talloc_set_destructor(dev, upf_gtp_dev_destruct);
 
@@ -163,7 +163,7 @@ static int dev_resolve_ifidx(struct upf_gtp_dev *dev)
 	}
 	/* Let's try something to see if talking to the device works. */
 	errno = 0;
-	rc = gtp_list_tunnel(g_upf->gtp.genl_id, g_upf->gtp.nl);
+	rc = gtp_list_tunnel(g_upf->tunend.genl_id, g_upf->tunend.nl);
 	if (errno)
 		rc = -errno;
 	else if (rc)
@@ -192,7 +192,7 @@ int upf_gtp_dev_open(const char *name, bool create_gtp_dev, const char *local_ad
 	int rc;
 	struct upf_gtp_dev *dev;
 
-	if (g_upf->gtp.mockup) {
+	if (g_upf->tunend.mockup) {
 		LOGP(DGTP, LOGL_NOTICE, "tunend/mockup active: not opening GTP device '%s'\n", name);
 		return 0;
 	}
@@ -265,17 +265,17 @@ int upf_gtp_dev_open(const char *name, bool create_gtp_dev, const char *local_ad
 void upf_gtp_devs_close()
 {
 	struct upf_gtp_dev *dev;
-	while ((dev = llist_first_entry_or_null(&g_upf->gtp.devs, struct upf_gtp_dev, entry)))
+	while ((dev = llist_first_entry_or_null(&g_upf->tunend.devs, struct upf_gtp_dev, entry)))
 		talloc_free(dev);
 }
 
 void upf_gtp_genl_close()
 {
-	if (!g_upf->gtp.nl)
+	if (!g_upf->tunend.nl)
 		return;
-	genl_socket_close(g_upf->gtp.nl);
-	g_upf->gtp.nl = NULL;
-	g_upf->gtp.genl_id = -1;
+	genl_socket_close(g_upf->tunend.nl);
+	g_upf->tunend.nl = NULL;
+	g_upf->tunend.genl_id = -1;
 
 	LOGP(DGTP, LOGL_NOTICE, "Closed mnl_socket\n");
 }
@@ -284,21 +284,21 @@ void upf_gtp_genl_close()
 int upf_gtp_genl_ensure_open()
 {
 	/* Already open? */
-	if (g_upf->gtp.nl && g_upf->gtp.genl_id >= 0)
+	if (g_upf->tunend.nl && g_upf->tunend.genl_id >= 0)
 		return 0;
 
 	/* sanity / paranoia: if re-opening, make sure the previous socket is closed */
-	if (g_upf->gtp.nl)
+	if (g_upf->tunend.nl)
 		upf_gtp_genl_close();
 
-	g_upf->gtp.nl = genl_socket_open();
-	if (!g_upf->gtp.nl) {
+	g_upf->tunend.nl = genl_socket_open();
+	if (!g_upf->tunend.nl) {
 		LOGP(DGTP, LOGL_ERROR, "Cannot open mnl_socket: %s\n", strerror(errno));
 		return -EIO;
 	}
 
-	g_upf->gtp.genl_id = genl_lookup_family(g_upf->gtp.nl, "gtp");
-	if (g_upf->gtp.genl_id < 0) {
+	g_upf->tunend.genl_id = genl_lookup_family(g_upf->tunend.nl, "gtp");
+	if (g_upf->tunend.genl_id < 0) {
 		LOGP(DGTP, LOGL_ERROR, "genl family 'gtp' not found\n");
 		return -ENOTSUP;
 	}
@@ -311,7 +311,7 @@ struct upf_gtp_tunend {
 	struct llist_head entry;
 
 	struct upf_gtp_dev *dev;
-	struct upf_gtp_tunend_desc desc;
+	struct upf_tunend desc;
 	bool active;
 };
 
@@ -320,9 +320,9 @@ static int upf_gtp_tunend_to_str_buf(char *buf, size_t buflen, const struct upf_
 	struct osmo_strbuf sb = { .buf = buf, .len = buflen };
 	/* "tunend{dev=apn0 access(GTP-r=1.2.3.4 TEID:l=0x1234,r=0x5678) core(UE-l=10.9.8.7)}" */
 	OSMO_STRBUF_PRINTF(sb, "tunend{dev=%s access(GTP-r=", tun->dev->name);
-	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tun->desc.access.gtp_remote_addr);
+	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tun->desc.access.remote.addr);
 	OSMO_STRBUF_PRINTF(sb, " TEID:l=0x%x,r=0x%x) core(UE-l=",
-			   tun->desc.access.local_teid, tun->desc.access.remote_teid);
+			   tun->desc.access.local.teid, tun->desc.access.remote.teid);
 	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tun->desc.core.ue_local_addr);
 	OSMO_STRBUF_PRINTF(sb, ")}");
 	return sb.chars_needed;
@@ -343,18 +343,18 @@ static int upf_gtp_tunend_destruct(struct upf_gtp_tunend *tun)
 	return 0;
 }
 
-#define tunend_desc_validate(TUN_DESC) \
+#define tunend_validate(TUNEND) \
 	do { \
-		OSMO_ASSERT(osmo_sockaddr_port(&(TUN_DESC)->access.gtp_local_addr.u.sa) == 0); \
-		OSMO_ASSERT(osmo_sockaddr_port(&(TUN_DESC)->access.gtp_remote_addr.u.sa) == 0); \
-		OSMO_ASSERT(osmo_sockaddr_port(&(TUN_DESC)->core.ue_local_addr.u.sa) == 0); \
+		OSMO_ASSERT(osmo_sockaddr_port(&(TUNEND)->access.local.addr.u.sa) == 0); \
+		OSMO_ASSERT(osmo_sockaddr_port(&(TUNEND)->access.remote.addr.u.sa) == 0); \
+		OSMO_ASSERT(osmo_sockaddr_port(&(TUNEND)->core.ue_local_addr.u.sa) == 0); \
 	} while (0)
 
-static struct upf_gtp_tunend *upf_gtp_tunend_alloc(struct upf_gtp_dev *dev, const struct upf_gtp_tunend_desc *desc)
+static struct upf_gtp_tunend *upf_gtp_tunend_alloc(struct upf_gtp_dev *dev, const struct upf_tunend *desc)
 {
 	struct upf_gtp_tunend *tun = talloc(dev, struct upf_gtp_tunend);
 	OSMO_ASSERT(tun);
-	tunend_desc_validate(desc);
+	tunend_validate(desc);
 	*tun = (struct upf_gtp_tunend){
 		.dev = dev,
 		.desc = *desc,
@@ -369,7 +369,7 @@ static struct gtp_tunnel *upf_gtp_tunend_to_gtp_tunnel(struct upf_gtp_tunend *tu
 	struct gtp_tunnel *t;
 
 	if (tun->desc.core.ue_local_addr.u.sas.ss_family != AF_INET
-	    || tun->desc.access.gtp_remote_addr.u.sas.ss_family != AF_INET) {
+	    || tun->desc.access.remote.addr.u.sas.ss_family != AF_INET) {
 		LOG_GTP_TUN(tun, LOGL_ERROR, "Only capabale of IPv4\n");
 		return NULL;
 	}
@@ -378,9 +378,9 @@ static struct gtp_tunnel *upf_gtp_tunend_to_gtp_tunnel(struct upf_gtp_tunend *tu
 	OSMO_ASSERT(t);
 	gtp_tunnel_set_ifidx(t, tun->dev->ifidx);
 	gtp_tunnel_set_version(t, GTP_V1);
-	gtp_tunnel_set_i_tei(t, tun->desc.access.local_teid);
-	gtp_tunnel_set_o_tei(t, tun->desc.access.remote_teid);
-	gtp_tunnel_set_sgsn_ip4(t, &tun->desc.access.gtp_remote_addr.u.sin.sin_addr);
+	gtp_tunnel_set_i_tei(t, tun->desc.access.local.teid);
+	gtp_tunnel_set_o_tei(t, tun->desc.access.remote.teid);
+	gtp_tunnel_set_sgsn_ip4(t, &tun->desc.access.remote.addr.u.sin.sin_addr);
 	gtp_tunnel_set_ms_ip4(t, &tun->desc.core.ue_local_addr.u.sin.sin_addr);
 	return t;
 }
@@ -398,7 +398,7 @@ int upf_gtp_tunend_activate(struct upf_gtp_tunend *tun)
 		return -ENOTSUP;
 
 	errno = 0;
-	rc = gtp_add_tunnel(g_upf->gtp.genl_id, g_upf->gtp.nl, t);
+	rc = gtp_add_tunnel(g_upf->tunend.genl_id, g_upf->tunend.nl, t);
 	if (errno) {
 		rc = -errno;
 	} else if (rc) {
@@ -411,36 +411,36 @@ int upf_gtp_tunend_activate(struct upf_gtp_tunend *tun)
 	return rc;
 }
 
-static struct upf_gtp_tunend *upf_gtp_dev_tunend_find(struct upf_gtp_dev *dev, const struct upf_gtp_tunend_desc *tun_desc)
+static struct upf_gtp_tunend *upf_gtp_dev_tunend_find(struct upf_gtp_dev *dev, const struct upf_tunend *tunend)
 {
 	struct upf_gtp_tunend *tun;
-	tunend_desc_validate(tun_desc);
+	tunend_validate(tunend);
 	llist_for_each_entry(tun, &dev->tunnels, entry) {
-		if (upf_gtp_tunend_desc_cmp(tun_desc, &tun->desc))
+		if (upf_gtp_tunend_cmp(tunend, &tun->desc))
 			continue;
 		return tun;
 	}
 	return NULL;
 }
 
-int upf_gtp_dev_tunend_add(struct upf_gtp_dev *dev, const struct upf_gtp_tunend_desc *tun_desc)
+int upf_gtp_dev_tunend_add(struct upf_gtp_dev *dev, const struct upf_tunend *tunend)
 {
 	struct upf_gtp_tunend *tun;
-	tunend_desc_validate(tun_desc);
-	tun = upf_gtp_dev_tunend_find(dev, tun_desc);
+	tunend_validate(tunend);
+	tun = upf_gtp_dev_tunend_find(dev, tunend);
 	if (!tun)
-		tun = upf_gtp_tunend_alloc(dev, tun_desc);
+		tun = upf_gtp_tunend_alloc(dev, tunend);
 	if (tun->active)
 		return 0;
 	return upf_gtp_tunend_activate(tun);
 }
 
-int upf_gtp_dev_tunend_del(struct upf_gtp_dev *dev, const struct upf_gtp_tunend_desc *tun_desc)
+int upf_gtp_dev_tunend_del(struct upf_gtp_dev *dev, const struct upf_tunend *tunend)
 {
 	struct upf_gtp_tunend *tun;
 	int rc;
-	tunend_desc_validate(tun_desc);
-	tun = upf_gtp_dev_tunend_find(dev, tun_desc);
+	tunend_validate(tunend);
+	tun = upf_gtp_dev_tunend_find(dev, tunend);
 	if (!tun)
 		return 0;
 	if (tun->active) {
@@ -466,7 +466,7 @@ static int upf_gtp_tunend_deactivate(struct upf_gtp_tunend *tun)
 	if (!t)
 		return -EINVAL;
 
-	rc = gtp_del_tunnel(g_upf->gtp.genl_id, g_upf->gtp.nl, t);
+	rc = gtp_del_tunnel(g_upf->tunend.genl_id, g_upf->tunend.nl, t);
 	if (rc)
 		LOG_GTP_TUN(tun, LOGL_ERROR, "Failed to delete tunnel\n");
 	else
@@ -491,7 +491,7 @@ static int upf_gtp_dev_destruct(struct upf_gtp_dev *dev)
 	return 0;
 }
 
-int upf_gtp_tunend_desc_cmp(const struct upf_gtp_tunend_desc *a, const struct upf_gtp_tunend_desc *b)
+int upf_gtp_tunend_cmp(const struct upf_tunend *a, const struct upf_tunend *b)
 {
 	int r;
 
@@ -503,9 +503,9 @@ int upf_gtp_tunend_desc_cmp(const struct upf_gtp_tunend_desc *a, const struct up
 		return 1;
 
 #define CMP_MEMB(MEMB) OSMO_CMP(a->MEMB, b->MEMB)
-	if ((r = CMP_MEMB(access.local_teid)))
+	if ((r = CMP_MEMB(access.local.teid)))
 		return r;
-	if ((r = CMP_MEMB(access.remote_teid)))
+	if ((r = CMP_MEMB(access.remote.teid)))
 		return r;
-	return osmo_sockaddr_cmp(&a->access.gtp_remote_addr, &b->access.gtp_remote_addr);
+	return osmo_sockaddr_cmp(&a->access.remote.addr, &b->access.remote.addr);
 }

src/osmo-upf/upf_gtpu_echo.c

@@ -31,6 +31,7 @@ struct gtp1u_hdr {
 		pt:1, /*< Protocol Type: GTP=1, GTP'=0 */
 		version:3; /*< Version: 1 */
 #elif OSMO_IS_BIG_ENDIAN
+/* auto-generated from the little endian part above (libosmocore/contrib/struct_endianness.py) */
 	uint8_t version:3, pt:1, spare:1, e:1, s:1, pn:1;
 #endif
 	uint8_t msg_type;
@@ -49,23 +50,43 @@ struct gtp1u_hdr {
 
 static int tx_echo_resp(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, uint16_t seq_nr);
 
-static int rx_echo_req(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, const struct gtp1u_hdr *rx_h)
+static int rx_echo_req(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, const struct gtp1u_hdr *rx_h,
+		       size_t msg_len)
 {
-	if (!rx_h->s) {
-		LOG_GTP_DEV(dev, LOGL_ERROR, "rx GTPv1-U ECHO REQ without sequence nr\n");
-		return -1;
-	}
+	uint16_t seq_nr = 0;
+	uint8_t recovery_count = 0;
+	if (msg_len >= (sizeof(*rx_h) + 2) && rx_h->data2[0] == GTP1U_IEI_RECOVERY)
+		recovery_count = rx_h->data2[1];
+
+	seq_nr = rx_h->s;
+	LOG_GTP_DEV(dev, LOGL_INFO, "<- %s: rx GTPv1-U Echo Request: seq_nr=%u recovery_count=%u\n",
+		    osmo_sockaddr_to_str(remote), seq_nr, recovery_count);
 
 	return tx_echo_resp(dev, remote, rx_h->ext.seq_nr);
 }
 
+static void rx_echo_resp(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, const struct gtp1u_hdr *rx_h,
+			 size_t msg_len)
+{
+	if (msg_len < (sizeof(*rx_h) + 2)) {
+		LOG_GTP_DEV(dev, LOGL_ERROR,
+			    "<- %s: rx GTPv1-U Echo Response, but message is too short (%zu < %zu)\n",
+			    osmo_sockaddr_to_str_c(OTC_SELECT, remote), msg_len, (sizeof(*rx_h) + 2));
+		return;
+	}
+
+	uint8_t recovery_count = rx_h->data2[1];
+	LOG_GTP_DEV(dev, LOGL_INFO, "<- %s: rx GTPv1-U Echo Response: seq_nr=%u recovery_count=%u\n",
+		    osmo_sockaddr_to_str(remote), rx_h->ext.seq_nr, recovery_count);
+}
+
 static int tx_echo_resp(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, uint16_t seq_nr)
 {
 	struct msgb *msg;
 	struct gtp1u_hdr *tx_h;
 	int rc;
 
-	msg = msgb_alloc_headroom(1024, 128, "GTP-echo-resp");
+	msg = msgb_alloc_headroom(1024, 128, "GTPv1-U-echo-resp");
 	tx_h = (void *)msgb_put(msg, sizeof(*tx_h));
 
 	*tx_h = (struct gtp1u_hdr){
@@ -83,16 +104,58 @@ static int tx_echo_resp(struct upf_gtp_dev *dev, const struct osmo_sockaddr *rem
 
 	/* ECHO RESPONSE shall contain a recovery counter */
 	msgb_put_u8(msg, GTP1U_IEI_RECOVERY);
-	msgb_put_u8(msg, g_upf->gtp.recovery_count);
+	msgb_put_u8(msg, g_upf->tunend.recovery_count);
 
 	osmo_store16be(msg->tail - tx_h->data1, &tx_h->length);
 
 	rc = sendto(dev->gtpv1.ofd.fd, msgb_data(msg), msgb_length(msg), 0, &remote->u.sa, sizeof(*remote));
 	if (rc < 0) {
-		int err = errno;
-		LOG_GTP_DEV(dev, LOGL_ERROR, "GTP1-U sendto(len=%d, to=%s): %s\n", msgb_length(msg),
-			    osmo_sockaddr_to_str(remote), strerror(err));
+		rc = -errno;
+		LOG_GTP_DEV(dev, LOGL_ERROR, "-> %s: tx GTPv1-U Echo Response: sendto(len=%d): %s\n",
+			    osmo_sockaddr_to_str(remote), msgb_length(msg), strerror(-rc));
+	} else {
+		LOG_GTP_DEV(dev, LOGL_INFO, "-> %s: tx GTPv1-U Echo Response: seq_nr=%u recovery_count=%u\n",
+			    osmo_sockaddr_to_str(remote), seq_nr, g_upf->tunend.recovery_count);
+		rc = 0;
 	}
+	msgb_free(msg);
+	return rc;
+}
+
+int upf_gtpu_echo_req_tx(struct upf_gtp_dev *dev, const struct osmo_sockaddr *remote, uint16_t seq_nr)
+{
+	struct gtp1u_hdr *tx_h;
+	int rc;
+	uint8_t msgbuf[sizeof(struct gtp1u_hdr) + 2];
+
+	tx_h = (void *)msgbuf;
+	*tx_h = (struct gtp1u_hdr){
+		/* 3GPP TS 29.281 5.1 defines that the ECHO REQ & RESP shall contain a sequence nr */
+		.s = 1,
+		.pt = 1,
+		.version = 1,
+		.msg_type = GTP1U_MSGTYPE_ECHO_REQ,
+		.ext = {
+			.seq_nr = seq_nr,
+		},
+	};
+
+	/* ECHO REQUEST shall contain a recovery counter */
+	tx_h->data2[0] = GTP1U_IEI_RECOVERY;
+	tx_h->data2[1] = g_upf->tunend.recovery_count;
+
+	osmo_store16be(sizeof(msgbuf) - offsetof(struct gtp1u_hdr, data1), &tx_h->length);
+
+	rc = sendto(dev->gtpv1.ofd.fd, msgbuf, sizeof(msgbuf), 0, &remote->u.sa, sizeof(*remote));
+	if (rc < 0) {
+		rc = -errno;
+		LOG_GTP_DEV(dev, LOGL_ERROR, "GTP1-U sendto(len=%zu, to=%s): %s\n", sizeof(msgbuf),
+			    osmo_sockaddr_to_str(remote), strerror(-rc));
+	} else {
+		rc = 0;
+	}
+	LOG_GTP_DEV(dev, LOGL_INFO, "<- %s: tx GTP1-U Echo Request: seq_nr=%u recovery_count=%u\n",
+		    osmo_sockaddr_to_str(remote), seq_nr, g_upf->tunend.recovery_count);
 	return rc;
 }
 
@@ -119,39 +182,42 @@ int upf_gtpu_echo_read_cb(struct osmo_fd *ofd, unsigned int what)
 	/* A GTPv1-U header of size 8 is valid, but this code expects to handle only ECHO REQUEST messages. These are
 	 * required to have a sequence number, hence this check here consciously uses the full sizeof(*h) == 12. */
 	if (sz < sizeof(*h)) {
-		LOG_GTP_DEV(dev, LOGL_ERROR, "rx GTP packet smaller than the GTPv1-U header + sequence nr: %zd < %zu\n",
-			    sz, sizeof(*h));
+		LOG_GTP_DEV(dev, LOGL_ERROR,
+			    "<- %s: rx GTPv1-U packet smaller than the GTPv1-U header + sequence nr: %zd < %zu\n",
+			    osmo_sockaddr_to_str(&remote), sz, sizeof(*h));
 		return -1;
 	}
 
 	h = (const struct gtp1u_hdr *)buf;
 	if (h->version != 1) {
-		LOG_GTP_DEV(dev, LOGL_ERROR, "rx GTP v%u: only GTP version 1 supported\n", h->version);
+		LOG_GTP_DEV(dev, LOGL_ERROR, "<- %s: rx GTPv1-U v%u: only GTP version 1 supported\n",
+			    osmo_sockaddr_to_str(&remote), h->version);
 		return -1;
 	}
 
 	h_length = osmo_load16be(&h->length);
 	if (offsetof(struct gtp1u_hdr, data1) + h_length > sz) {
-		LOG_GTP_DEV(dev, LOGL_ERROR, "rx GTP: header + h.length = %zu > received bytes = %zd\n",
-			    offsetof(struct gtp1u_hdr, data1) + h_length, sz);
+		LOG_GTP_DEV(dev, LOGL_ERROR, "<- %s: rx GTPv1-U: header + h.length = %zu > received bytes = %zd\n",
+			    osmo_sockaddr_to_str(&remote), offsetof(struct gtp1u_hdr, data1) + h_length, sz);
 		return -1;
 	}
 
 	switch (h->msg_type) {
 	case GTP1U_MSGTYPE_ECHO_REQ:
-		return rx_echo_req(dev, &remote, h);
+		return rx_echo_req(dev, &remote, h, sz);
+	case GTP1U_MSGTYPE_ECHO_RSP:
+		rx_echo_resp(dev, &remote, h, sz);
+		return 0;
 	default:
 		LOG_GTP_DEV(dev, LOGL_ERROR, "rx: GTPv1-U message type %u not supported\n", h->msg_type);
 		return -1;
 	}
-
-	return 0;
 }
 
 int upf_gtpu_echo_setup(struct upf_gtp_dev *dev)
 {
 	if (dev->gtpv1.ofd.fd == -1) {
-		LOGP(DGTP, LOGL_ERROR, "Cannot setup GTP-U ECHO: GTP-v1 socket not initialized\n");
+		LOGP(DGTP, LOGL_ERROR, "Cannot setup GTPv1-U ECHO: socket not initialized\n");
 		return -EINVAL;
 	}
 

src/osmo-upf/upf_nft.c

@@ -26,6 +26,7 @@
 
 #include <osmocom/core/talloc.h>
 #include <osmocom/core/logging.h>
+#include <osmocom/core/timer.h>
 
 #include <osmocom/upf/upf.h>
 #include <osmocom/upf/upf_nft.h>
@@ -59,64 +60,186 @@ static char *upf_nft_ruleset_vmap_init(void *ctx, const char *table_name, int pr
 		table_name);
 }
 
-static int upf_nft_run(const char *ruleset)
+static int upf_nft_run_now(const char *ruleset)
 {
 	int rc;
+	const int logmax = 256;
 
-	if (g_upf->nft.mockup) {
+	if (g_upf->tunmap.mockup) {
 		LOGP(DNFT, LOGL_NOTICE, "tunmap/mockup active: not running nft ruleset: '%s'\n", ruleset);
 		return 0;
 	}
 
-	if (!g_upf->nft.nft_ctx) {
+	if (!g_upf->tunmap.nft_ctx) {
 		rc = upf_nft_init();
 		if (rc)
 			return rc;
 	}
 
-	rc = nft_run_cmd_from_buffer(g_upf->nft.nft_ctx, ruleset);
+	rc = nft_run_cmd_from_buffer(g_upf->tunmap.nft_ctx, ruleset);
 	if (rc < 0) {
 		LOGP(DNFT, LOGL_ERROR, "error running nft ruleset: rc=%d ruleset=%s\n",
 		     rc, osmo_quote_str_c(OTC_SELECT, ruleset, -1));
 		return -EIO;
 	}
 
-	LOGP(DNFT, LOGL_DEBUG, "set up nft ruleset: %s\n", osmo_quote_str_c(OTC_SELECT, ruleset, -1));
+	if (log_check_level(DNFT, LOGL_DEBUG)) {
+		size_t l = strlen(ruleset);
+		LOGP(DNFT, LOGL_DEBUG, "ran nft ruleset, %zu chars: \"%s%s\"\n",
+		     l,
+		     osmo_escape_cstr_c(OTC_SELECT, ruleset, OSMO_MIN(logmax, l)),
+		     l > logmax ? "..." : "");
+	}
+
 	return 0;
 }
 
+struct nft_queue {
+	struct osmo_tdef *flush_time_tdef;
+	struct osmo_tdef *ruleset_max_tdef;
+	struct osmo_strbuf sb;
+	/* 128 NFT rulesets amount to about 110 kb of char */
+	char buf[1<<17];
+	unsigned int ruleset_count;
+	struct osmo_timer_list timer;
+};
+
+static void nft_queue_clear_buf(struct nft_queue *q)
+{
+	q->sb = (struct osmo_strbuf){ .buf = q->buf, .len = sizeof(q->buf) };
+	q->buf[0] = '\0';
+}
+
+static void nft_queue_init(void *ctx, struct nft_queue *q,
+			   struct osmo_tdef *flush_time_tdef,
+			   struct osmo_tdef *ruleset_max_tdef)
+{
+	*q = (struct nft_queue){
+		.flush_time_tdef = flush_time_tdef,
+		.ruleset_max_tdef = ruleset_max_tdef,
+	};
+	nft_queue_clear_buf(q);
+}
+
+static void nft_queue_flush(struct nft_queue *q, const char *reason)
+{
+	static unsigned int flush_count = 0;
+	static unsigned int ruleset_count = 0;
+
+	/* We will now flush the queue empty. A timer needs to run only when the next pending entry is added. */
+	osmo_timer_del(&q->timer);
+
+	/* Nothing to send? */
+	if (!q->sb.chars_needed)
+		return;
+
+	flush_count++;
+	ruleset_count += q->ruleset_count;
+	LOGP(DNFT, LOGL_INFO, "Flushing NFT ruleset queue: %s: n:%u strlen:%zu (flush count: %u avg rules per flush: %s)\n",
+	     reason,
+	     q->ruleset_count, q->sb.chars_needed,
+	     flush_count, osmo_int_to_float_str_c(OTC_SELECT, 10 * ruleset_count / flush_count, 1));
+
+	q->ruleset_count = 0;
+
+	upf_nft_run_now(q->sb.buf);
+
+	nft_queue_clear_buf(q);
+}
+
+static void nft_queue_flush_cb(void *q)
+{
+	nft_queue_flush(q, "timeout");
+}
+
+static int nft_enqueue(struct nft_queue *q,
+		       int (*tunmap_to_str_buf)(char *buf, size_t len, struct upf_tunmap *tunmap),
+		       struct upf_tunmap *tunmap)
+{
+	int ruleset_max;
+	struct osmo_strbuf q_sb_was = q->sb;
+
+	OSMO_STRBUF_APPEND(q->sb, tunmap_to_str_buf, tunmap);
+
+	/* is that being cut off? then revert the addition. This should never happen in practice. */
+	if (q->sb.chars_needed >= q->sb.len) {
+		q->sb = q_sb_was;
+		if (q->sb.pos)
+			*q->sb.pos = '\0';
+		nft_queue_flush(q, "reached max nr of chars");
+		OSMO_STRBUF_APPEND(q->sb, tunmap_to_str_buf, tunmap);
+	}
+
+	/* Append separator -- no problem if that gets cut off. */
+	OSMO_STRBUF_PRINTF(q->sb, "\n");
+
+	q->ruleset_count++;
+
+	LOGP(DNFT, LOGL_INFO, "Added NFT ruleset to queue: n:%u strlen:%zu\n",
+	     q->ruleset_count, q->sb.chars_needed);
+
+	/* Added a rule, see if it has reached ruleset_max. */
+	ruleset_max = osmo_tdef_get(q->ruleset_max_tdef, q->ruleset_max_tdef->T, OSMO_TDEF_CUSTOM, 128);
+	if (q->ruleset_count >= ruleset_max) {
+		nft_queue_flush(q, "reached max nr of rules");
+		return 0;
+	}
+
+	/* Item added. If the timer is not running yet, schedule a flush in given timeout */
+	if (!osmo_timer_pending(&q->timer)) {
+		struct osmo_tdef *t;
+		unsigned long us;
+		osmo_timer_setup(&q->timer, nft_queue_flush_cb, q);
+		t = q->flush_time_tdef;
+		us = osmo_tdef_get(t, t->T, OSMO_TDEF_US, 100000);
+		osmo_timer_schedule(&q->timer, us / 1000000, us % 1000000);
+	}
+	return 0;
+}
+
+static void nft_queue_free(struct nft_queue *q)
+{
+	osmo_timer_del(&q->timer);
+}
+
+static struct nft_queue g_nft_queue = {};
+
 int upf_nft_init()
 {
 	int rc;
 
+	nft_queue_init(g_upf, &g_nft_queue,
+		       osmo_tdef_get_entry(g_upf_nft_tdefs, -32),
+		       osmo_tdef_get_entry(g_upf_nft_tdefs, -33));
+
 	/* Always set up the default settings, also in mockup mode, so that the VTY reflects sane values */
-	if (!g_upf->nft.table_name)
-		g_upf->nft.table_name = talloc_strdup(g_upf, "osmo-upf");
+	if (!g_upf->tunmap.table_name)
+		g_upf->tunmap.table_name = talloc_strdup(g_upf, "osmo-upf");
 
 	/* When in mockup mode, do not set up nft_ctx and netfilter table */
-	if (g_upf->nft.mockup) {
+	if (g_upf->tunmap.mockup) {
 		LOGP(DNFT, LOGL_NOTICE,
 		     "tunmap/mockup active: not allocating libnftables nft_ctx. FOR TESTING PURPOSES ONLY.\n");
 		return 0;
 	}
 
-	g_upf->nft.nft_ctx = nft_ctx_new(NFT_CTX_DEFAULT);
-	if (!g_upf->nft.nft_ctx) {
+	g_upf->tunmap.nft_ctx = nft_ctx_new(NFT_CTX_DEFAULT);
+	if (!g_upf->tunmap.nft_ctx) {
 		LOGP(DNFT, LOGL_ERROR, "cannot allocate libnftables nft_ctx\n");
 		return -EIO;
 	}
 
-	rc = upf_nft_run(upf_nft_tunmap_get_table_init_str(OTC_SELECT));
+	rc = upf_nft_run_now(upf_nft_tunmap_get_table_init_str(OTC_SELECT));
 	if (rc) {
 		LOGP(DNFT, LOGL_ERROR, "Failed to create nft table %s\n",
-		     osmo_quote_str_c(OTC_SELECT, g_upf->nft.table_name, -1));
+		     osmo_quote_str_c(OTC_SELECT, g_upf->tunmap.table_name, -1));
 		return rc;
 	}
-	LOGP(DNFT, LOGL_NOTICE, "Created nft table %s\n", osmo_quote_str_c(OTC_SELECT, g_upf->nft.table_name, -1));
+	LOGP(DNFT, LOGL_NOTICE, "Created nft table %s\n", osmo_quote_str_c(OTC_SELECT, g_upf->tunmap.table_name, -1));
 
-	rc = upf_nft_run(upf_nft_tunmap_get_vmap_init_str(OTC_SELECT));
+	rc = upf_nft_run_now(upf_nft_tunmap_get_vmap_init_str(OTC_SELECT));
 	if (rc) {
-		LOGP(DNFT, LOGL_ERROR, "Failed to initialize nft verdict map in table %s\n", g_upf->nft.table_name);
+		LOGP(DNFT, LOGL_ERROR, "Failed to initialize nft verdict map in table %s\n", g_upf->tunmap.table_name);
 		return rc;
 	}
 	return 0;
@@ -124,10 +247,11 @@ int upf_nft_init()
 
 int upf_nft_free()
 {
-	if (!g_upf->nft.nft_ctx)
+	nft_queue_free(&g_nft_queue);
+	if (!g_upf->tunmap.nft_ctx)
 		return 0;
-	nft_ctx_free(g_upf->nft.nft_ctx);
-	g_upf->nft.nft_ctx = NULL;
+	nft_ctx_free(g_upf->tunmap.nft_ctx);
+	g_upf->tunmap.nft_ctx = NULL;
 	return 0;
 }
 
@@ -177,7 +301,7 @@ static int tunmap_add_single_direction(char *buf, size_t buflen,
 	 * # add chain for verdict map in postrouting
 	 * add chain inet osmo-upf tunmap-post-123
 	 * # mangle source address and GTP TID at postrouting
-	 * add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.1 @ih,32,32 set 0x00000102 counter accept
+	 * add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.1 udp sport set 2152 @ih,32,32 set 0x00000102 counter accept
 	 *
 	 * # add elements to verdict map, jump to chain
 	 * add element inet osmo-upf tunmap-pre { 2.2.2.3 . 0x00000203 : jump tunmap-pre-123 }
@@ -200,6 +324,7 @@ static int tunmap_add_single_direction(char *buf, size_t buflen,
 			   args->table_name, from_peer->chain_id);
 	OSMO_STRBUF_PRINTF(sb, " ip saddr set ");
 	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, to_peer->addr_local);
+	OSMO_STRBUF_PRINTF(sb, " udp sport set 2152");
 	OSMO_STRBUF_PRINTF(sb, " @ih,32,32 set 0x%x", to_peer->teid_remote);
 	OSMO_STRBUF_PRINTF(sb, " counter accept;\n");
 
@@ -262,11 +387,6 @@ static int upf_nft_ruleset_tunmap_create_buf(char *buf, size_t buflen, const str
 	return sb.chars_needed;
 }
 
-static char *upf_nft_ruleset_tunmap_create_c(void *ctx, const struct upf_nft_args *args)
-{
-	OSMO_NAME_C_IMPL(ctx, 1024, "ERROR", upf_nft_ruleset_tunmap_create_buf, args)
-}
-
 static int upf_nft_ruleset_tunmap_delete_buf(char *buf, size_t buflen, const struct upf_nft_args *args)
 {
 	struct osmo_strbuf sb = { .buf = buf, .len = buflen };
@@ -279,54 +399,49 @@ static int upf_nft_ruleset_tunmap_delete_buf(char *buf, size_t buflen, const str
 	return sb.chars_needed;
 }
 
-static char *upf_nft_ruleset_tunmap_delete_c(void *ctx, const struct upf_nft_args *args)
-{
-	OSMO_NAME_C_IMPL(ctx, 512, "ERROR", upf_nft_ruleset_tunmap_delete_buf, args)
-}
-
-int upf_nft_tunmap_to_str_buf(char *buf, size_t buflen, const struct upf_nft_tunmap_desc *tunmap)
+int upf_nft_tunmap_to_str_buf(char *buf, size_t buflen, const struct upf_tunmap *tunmap)
 {
 	struct osmo_strbuf sb = { .buf = buf, .len = buflen };
 
 	/* ACCESS 1.1.1.2:0x102 <---> 2.2.2.1:0x201 UPF 2.2.2.3:0x203 <---> 3.3.3.2:0x302 CORE */
 	OSMO_STRBUF_PRINTF(sb, "ACCESS ");
-	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->access.gtp_remote_addr);
-	OSMO_STRBUF_PRINTF(sb, ":0x%x <---> ", tunmap->access.remote_teid);
-	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->access.gtp_local_addr);
-	OSMO_STRBUF_PRINTF(sb, ":0x%x UPF ", tunmap->access.local_teid);
-	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->core.gtp_local_addr);
-	OSMO_STRBUF_PRINTF(sb, ":0x%x <---> ", tunmap->core.local_teid);
-	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->core.gtp_remote_addr);
-	OSMO_STRBUF_PRINTF(sb, ":0x%x CORE", tunmap->core.remote_teid);
+	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->access.tun.remote.addr);
+	OSMO_STRBUF_PRINTF(sb, ":0x%x <---> ", tunmap->access.tun.remote.teid);
+	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->access.tun.local.addr);
+	OSMO_STRBUF_PRINTF(sb, ":0x%x UPF ", tunmap->access.tun.local.teid);
+	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->core.tun.local.addr);
+	OSMO_STRBUF_PRINTF(sb, ":0x%x <---> ", tunmap->core.tun.local.teid);
+	OSMO_STRBUF_APPEND(sb, osmo_sockaddr_to_str_buf2, &tunmap->core.tun.remote.addr);
+	OSMO_STRBUF_PRINTF(sb, ":0x%x CORE", tunmap->core.tun.remote.teid);
 	return sb.chars_needed;
 }
 
-char *upf_nft_tunmap_to_str_c(void *ctx, const struct upf_nft_tunmap_desc *tunmap)
+char *upf_nft_tunmap_to_str_c(void *ctx, const struct upf_tunmap *tunmap)
 {
 	OSMO_NAME_C_IMPL(ctx, 128, "ERROR", upf_nft_tunmap_to_str_buf, tunmap)
 }
 
-static void upf_nft_args_from_tunmap_desc(struct upf_nft_args *args, const struct upf_nft_tunmap_desc *tunmap)
+static void upf_nft_args_from_tunmap(struct upf_nft_args *args, const struct upf_tunmap *tunmap)
 {
-	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->access.gtp_remote_addr.u.sa) == 0);
-	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->access.gtp_local_addr.u.sa) == 0);
-	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->core.gtp_remote_addr.u.sa) == 0);
-	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->core.gtp_local_addr.u.sa) == 0);
+	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->access.tun.remote.addr.u.sa) == 0);
+	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->access.tun.local.addr.u.sa) == 0);
+	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->core.tun.remote.addr.u.sa) == 0);
+	OSMO_ASSERT(osmo_sockaddr_port(&tunmap->core.tun.local.addr.u.sa) == 0);
 
 	*args = (struct upf_nft_args){
-		.table_name = g_upf->nft.table_name,
+		.table_name = g_upf->tunmap.table_name,
 		.peer_a = {
-			.addr_remote = &tunmap->access.gtp_remote_addr,
-			.teid_remote = tunmap->access.remote_teid,
-			.addr_local = &tunmap->access.gtp_local_addr,
-			.teid_local = tunmap->access.local_teid,
+			.addr_remote = &tunmap->access.tun.remote.addr,
+			.teid_remote = tunmap->access.tun.remote.teid,
+			.addr_local = &tunmap->access.tun.local.addr,
+			.teid_local = tunmap->access.tun.local.teid,
 			.chain_id = tunmap->access.chain_id,
 		},
 		.peer_b = {
-			.addr_remote = &tunmap->core.gtp_remote_addr,
-			.teid_remote = tunmap->core.remote_teid,
-			.addr_local = &tunmap->core.gtp_local_addr,
-			.teid_local = tunmap->core.local_teid,
+			.addr_remote = &tunmap->core.tun.remote.addr,
+			.teid_remote = tunmap->core.tun.remote.teid,
+			.addr_local = &tunmap->core.tun.local.addr,
+			.teid_local = tunmap->core.tun.local.teid,
 			.chain_id = tunmap->core.chain_id,
 		},
 	};
@@ -334,49 +449,58 @@ static void upf_nft_args_from_tunmap_desc(struct upf_nft_args *args, const struc
 
 char *upf_nft_tunmap_get_table_init_str(void *ctx)
 {
-	return upf_nft_ruleset_table_create(ctx, g_upf->nft.table_name);
+	return upf_nft_ruleset_table_create(ctx, g_upf->tunmap.table_name);
 }
 
 char *upf_nft_tunmap_get_vmap_init_str(void *ctx)
 {
-	return upf_nft_ruleset_vmap_init(ctx, g_upf->nft.table_name, g_upf->nft.priority_pre,
-					 g_upf->nft.priority_post);
+	return upf_nft_ruleset_vmap_init(ctx, g_upf->tunmap.table_name, g_upf->tunmap.priority_pre,
+					 g_upf->tunmap.priority_post);
 }
 
-static uint32_t chain_id_next(void)
-{
-	g_upf->nft.next_chain_id_state++;
-	if (!g_upf->nft.next_chain_id_state)
-		g_upf->nft.next_chain_id_state++;
-	return g_upf->nft.next_chain_id_state;
-}
-
-char *upf_nft_tunmap_get_ruleset_str(void *ctx, struct upf_nft_tunmap_desc *tunmap)
+int upf_nft_tunmap_get_ruleset_str_buf(char *buf, size_t len, struct upf_tunmap *tunmap)
 {
 	struct upf_nft_args args;
-
-	if (!tunmap->access.chain_id)
-		tunmap->access.chain_id = chain_id_next();
-	if (!tunmap->core.chain_id)
-		tunmap->core.chain_id = chain_id_next();
-
-	upf_nft_args_from_tunmap_desc(&args, tunmap);
-	return upf_nft_ruleset_tunmap_create_c(ctx, &args);
+	upf_nft_args_from_tunmap(&args, tunmap);
+	return upf_nft_ruleset_tunmap_create_buf(buf, len, &args);
 }
 
-char *upf_nft_tunmap_get_ruleset_del_str(void *ctx, struct upf_nft_tunmap_desc *tunmap)
+char *upf_nft_tunmap_get_ruleset_str(void *ctx, struct upf_tunmap *tunmap)
+{
+	OSMO_NAME_C_IMPL(ctx, 1024, "ERROR", upf_nft_tunmap_get_ruleset_str_buf, tunmap)
+}
+
+int upf_nft_tunmap_get_ruleset_del_str_buf(char *buf, size_t len, struct upf_tunmap *tunmap)
 {
 	struct upf_nft_args args;
-	upf_nft_args_from_tunmap_desc(&args, tunmap);
-	return upf_nft_ruleset_tunmap_delete_c(ctx, &args);
+	upf_nft_args_from_tunmap(&args, tunmap);
+	return upf_nft_ruleset_tunmap_delete_buf(buf, len, &args);
 }
 
-int upf_nft_tunmap_create(struct upf_nft_tunmap_desc *tunmap)
+char *upf_nft_tunmap_get_ruleset_del_str(void *ctx, struct upf_tunmap *tunmap)
 {
-	return upf_nft_run(upf_nft_tunmap_get_ruleset_str(OTC_SELECT, tunmap));
+	OSMO_NAME_C_IMPL(ctx, 1024, "ERROR", upf_nft_tunmap_get_ruleset_del_str_buf, tunmap)
 }
 
-int upf_nft_tunmap_delete(struct upf_nft_tunmap_desc *tunmap)
+static int upf_nft_tunmap_ensure_chain_id(struct upf_nft_tun *tun)
 {
-	return upf_nft_run(upf_nft_tunmap_get_ruleset_del_str(OTC_SELECT, tunmap));
+	if (tun->chain_id)
+		return 0;
+	tun->chain_id = upf_next_chain_id();
+	if (!tun->chain_id)
+		return -ENOSPC;
+	return 0;
+}
+
+int upf_nft_tunmap_create(struct upf_tunmap *tunmap)
+{
+	if (upf_nft_tunmap_ensure_chain_id(&tunmap->access)
+	    || upf_nft_tunmap_ensure_chain_id(&tunmap->core))
+		return -ENOSPC;
+	return nft_enqueue(&g_nft_queue, upf_nft_tunmap_get_ruleset_str_buf, tunmap);
+}
+
+int upf_nft_tunmap_delete(struct upf_tunmap *tunmap)
+{
+	return nft_enqueue(&g_nft_queue, upf_nft_tunmap_get_ruleset_del_str_buf, tunmap);
 }

src/osmo-upf/upf_vty.c

@@ -38,6 +38,7 @@
 #include <osmocom/upf/up_session.h>
 #include <osmocom/upf/up_gtp_action.h>
 #include <osmocom/upf/netinst.h>
+#include <osmocom/upf/upf_gtpu_echo.h>
 
 enum upf_vty_node {
 	PFCP_NODE = _LAST_OSMOVTY_NODE + 1,
@@ -53,7 +54,7 @@ static struct cmd_node cfg_pfcp_node = {
 };
 
 #define pfcp_vty (g_upf->pfcp.vty_cfg)
-#define tunend_vty (g_upf->gtp.vty_cfg)
+#define tunend_vty (g_upf->tunend.vty_cfg)
 
 DEFUN(cfg_pfcp, cfg_pfcp_cmd,
       "pfcp",
@@ -102,7 +103,7 @@ static int config_write_tunend(struct vty *vty)
 	struct tunend_vty_cfg_dev *d;
 	vty_out(vty, "tunend%s", VTY_NEWLINE);
 
-	if (g_upf->gtp.mockup)
+	if (g_upf->tunend.mockup)
 		vty_out(vty, " mockup%s", VTY_NEWLINE);
 
 	llist_for_each_entry(d, &tunend_vty.devs, entry) {
@@ -124,7 +125,7 @@ DEFUN(cfg_tunend_mockup, cfg_tunend_mockup_cmd,
       "mockup",
       "don't actually send commands to the GTP kernel module, just return success\n")
 {
-	g_upf->gtp.mockup = true;
+	g_upf->tunend.mockup = true;
 	return CMD_SUCCESS;
 }
 
@@ -133,7 +134,7 @@ DEFUN(cfg_tunend_no_mockup, cfg_tunend_no_mockup_cmd,
       NO_STR
       "operate GTP kernel module normally\n")
 {
-	g_upf->gtp.mockup = false;
+	g_upf->tunend.mockup = false;
 	return CMD_SUCCESS;
 }
 
@@ -224,11 +225,11 @@ static int config_write_tunmap(struct vty *vty)
 {
 	vty_out(vty, "tunmap%s", VTY_NEWLINE);
 
-	if (g_upf->nft.mockup)
+	if (g_upf->tunmap.mockup)
 		vty_out(vty, " mockup%s", VTY_NEWLINE);
 
-	if (g_upf->nft.table_name && strcmp(g_upf->nft.table_name, "osmo-upf"))
-		vty_out(vty, " table-name %s%s", g_upf->nft.table_name, VTY_NEWLINE);
+	if (g_upf->tunmap.table_name && strcmp(g_upf->tunmap.table_name, "osmo-upf"))
+		vty_out(vty, " table-name %s%s", g_upf->tunmap.table_name, VTY_NEWLINE);
 
 	return CMD_SUCCESS;
 }
@@ -237,7 +238,7 @@ DEFUN(cfg_tunmap_mockup, cfg_tunmap_mockup_cmd,
       "mockup",
       "don't actually send rulesets to nftables, just return success\n")
 {
-	g_upf->nft.mockup = true;
+	g_upf->tunmap.mockup = true;
 	return CMD_SUCCESS;
 }
 
@@ -246,7 +247,7 @@ DEFUN(cfg_tunmap_no_mockup, cfg_tunmap_no_mockup_cmd,
       NO_STR
       "operate nftables rulesets normally\n")
 {
-	g_upf->nft.mockup = false;
+	g_upf->tunmap.mockup = false;
 	return CMD_SUCCESS;
 }
 
@@ -258,7 +259,7 @@ DEFUN(cfg_tunmap_table_name, cfg_tunmap_table_name_cmd,
       " The default table name is \"osmo-upf\".\n"
       "nft inet table name\n")
 {
-	osmo_talloc_replace_string(g_upf, &g_upf->nft.table_name, argv[0]);
+	osmo_talloc_replace_string(g_upf, &g_upf->tunmap.table_name, argv[0]);
 	return CMD_SUCCESS;
 }
 
@@ -296,39 +297,43 @@ DEFUN(show_nft_rule_tunmap_example, show_nft_rule_tunmap_example_cmd,
       "Print a complete nftables ruleset for a tunmap filled with example IP addresses and TEIDs\n")
 {
 	struct osmo_sockaddr_str str = {};
-	struct upf_nft_tunmap_desc d = {
+	struct upf_tunmap tunmap = {
 		.access = {
-			.local_teid = 0x201,
-			.remote_teid = 0x102,
+			.tun = {
+				.local.teid = 0x201,
+				.remote.teid = 0x102,
+			},
 			.chain_id = 123,
 		},
 		.core = {
-			.local_teid = 0x203,
-			.remote_teid = 0x302,
+			.tun = {
+				.local.teid = 0x203,
+				.remote.teid = 0x302,
+			},
 			.chain_id = 321,
 		},
 	};
 
 	osmo_sockaddr_str_from_str2(&str, "1.1.1.1");
-	osmo_sockaddr_str_to_sockaddr(&str, &d.access.gtp_remote_addr.u.sas);
+	osmo_sockaddr_str_to_sockaddr(&str, &tunmap.access.tun.remote.addr.u.sas);
 
 	osmo_sockaddr_str_from_str2(&str, "2.2.2.1");
-	osmo_sockaddr_str_to_sockaddr(&str, &d.access.gtp_local_addr.u.sas);
+	osmo_sockaddr_str_to_sockaddr(&str, &tunmap.access.tun.local.addr.u.sas);
 
 	osmo_sockaddr_str_from_str2(&str, "2.2.2.3");
-	osmo_sockaddr_str_to_sockaddr(&str, &d.core.gtp_local_addr.u.sas);
+	osmo_sockaddr_str_to_sockaddr(&str, &tunmap.core.tun.local.addr.u.sas);
 
 	osmo_sockaddr_str_from_str2(&str, "3.3.3.3");
-	osmo_sockaddr_str_to_sockaddr(&str, &d.core.gtp_remote_addr.u.sas);
+	osmo_sockaddr_str_to_sockaddr(&str, &tunmap.core.tun.remote.addr.u.sas);
 
 	vty_out(vty, "%% init verdict map:%s", VTY_NEWLINE);
 	vty_out(vty, "%s%s", upf_nft_tunmap_get_table_init_str(OTC_SELECT), VTY_NEWLINE);
 	vty_out(vty, "%s%s", upf_nft_tunmap_get_vmap_init_str(OTC_SELECT), VTY_NEWLINE);
 	vty_out(vty, "%% add tunmap:%s", VTY_NEWLINE);
-	vty_out(vty, "%% %s%s", upf_nft_tunmap_to_str_c(OTC_SELECT, &d), VTY_NEWLINE);
-	vty_out(vty, "%s%s", upf_nft_tunmap_get_ruleset_str(OTC_SELECT, &d), VTY_NEWLINE);
+	vty_out(vty, "%% %s%s", upf_nft_tunmap_to_str_c(OTC_SELECT, &tunmap), VTY_NEWLINE);
+	vty_out(vty, "%s%s", upf_nft_tunmap_get_ruleset_str(OTC_SELECT, &tunmap), VTY_NEWLINE);
 	vty_out(vty, "%% delete tunmap:%s", VTY_NEWLINE);
-	vty_out(vty, "%s%s", upf_nft_tunmap_get_ruleset_del_str(OTC_SELECT, &d), VTY_NEWLINE);
+	vty_out(vty, "%s%s", upf_nft_tunmap_get_ruleset_del_str(OTC_SELECT, &tunmap), VTY_NEWLINE);
 	return CMD_SUCCESS;
 }
 
@@ -477,11 +482,110 @@ DEFUN(show_session, show_session_cmd,
 			}
 		}
 	}
-	vty_out(vty, "(%d fully-active + %d partially active + %d inactive)%s",
+	vty_out(vty, "(%d fully-active + %d active with some PDR/FAR ignored + %d inactive)%s",
 		fully_active_count, active_count, inactive_count, VTY_NEWLINE);
 	return CMD_SUCCESS;
 }
 
+/* variant:
+ *  0 "gtp1u-echo send to (A.B.C.D|X:X::X:X)"
+ *  1 "gtp1u-echo send to (A.B.C.D|X:X::X:X) local-ip (A.B.C.D|X:X::X:X)"
+ *  2 "gtp1u-echo send to (A.B.C.D|X:X::X:X) local-dev DEV_NAME"
+ */
+static int _gtp_echo_tx(struct vty *vty, int variant, int argc, const char **argv)
+{
+	struct osmo_sockaddr_str addr;
+	struct osmo_sockaddr osa_remote;
+	struct osmo_sockaddr osa_local;
+	struct upf_gtp_dev *gtp_dev = NULL;
+	const char *remote_str = argv[0];
+	const char *local_str = NULL;
+	if (argc > 1)
+		local_str = argv[1];
+
+	/* GTP can be received on port 2152 only, i.e. the remote port must be 2152. (The sending port is allowed to
+	 * differ). */
+	if (osmo_sockaddr_str_from_str(&addr, remote_str, 2152)
+	    || osmo_sockaddr_str_to_osa(&addr, &osa_remote)) {
+		vty_out(vty, "%% Error: cannot send Echo: invalid IP address: %s%s",
+			osmo_quote_str(remote_str, -1), VTY_NEWLINE);
+		return CMD_WARNING;
+	}
+
+	switch (variant) {
+	case 0:
+		gtp_dev = llist_first_entry_or_null(&g_upf->tunend.devs, struct upf_gtp_dev, entry);
+		if (!gtp_dev) {
+			vty_out(vty, "%% Error: cannot send Echo: there is no GTP device%s",
+				VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+		break;
+	case 1:
+		if (osmo_sockaddr_str_from_str(&addr, local_str, 2152)
+		    || osmo_sockaddr_str_to_osa(&addr, &osa_local)) {
+			vty_out(vty, "%% Error: cannot send Echo: invalid IP address: %s%s",
+				osmo_quote_str(local_str, -1), VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+		gtp_dev = upf_gtp_dev_find_by_local_addr(&osa_local);
+		if (!gtp_dev) {
+			vty_out(vty, "%% Error: cannot send Echo: this does not seem to be a locally bound GTP address: %s%s",
+				osmo_sockaddr_to_str_c(OTC_SELECT, &osa_local), VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+		break;
+	case 2:
+		gtp_dev = upf_gtp_dev_find_by_name(local_str);
+		if (!gtp_dev) {
+			vty_out(vty, "%% Error: cannot send Echo: there is no GTP device by the name of '%s'%s",
+				local_str, VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+		break;
+	}
+	OSMO_ASSERT(gtp_dev);
+
+	if (upf_gtpu_echo_req_tx(gtp_dev, &osa_remote, g_upf->gtp.next_echo_seq_nr++)) {
+		vty_out(vty, "%% Error: Failed to transmit Echo Request (see DGTP logging)%s", VTY_NEWLINE);
+		return CMD_WARNING;
+	}
+	vty_out(vty, "%s -> %s tx Echo Request; for responses, see DGTP logging level INFO%s",
+		gtp_dev->name, osmo_sockaddr_to_str_c(OTC_SELECT, &osa_remote), VTY_NEWLINE);
+	return CMD_SUCCESS;
+}
+
+#define IP46_STR "IPv4 address\nIPv6 address\n"
+#define GTP_ECHO_TX_STR \
+      "GTP1-U Echo probing\n" \
+      "Send a GTP1-U Echo Request to a remote peer\n" \
+      "Send to remote peer's GTP address\n" IP46_STR
+
+DEFUN(gtp_echo_tx, gtp_echo_tx_cmd,
+      "gtp1u-echo send to " VTY_IPV46_CMD,
+      GTP_ECHO_TX_STR)
+{
+	return _gtp_echo_tx(vty, 0, argc, argv);
+}
+
+DEFUN(gtp_echo_tx_local_ip, gtp_echo_tx_local_ip_cmd,
+      "gtp1u-echo send to " VTY_IPV46_CMD " local-ip " VTY_IPV46_CMD,
+      GTP_ECHO_TX_STR
+      "Send from local GTP device, chosen by IP address\n"
+      IP46_STR)
+{
+	return _gtp_echo_tx(vty, 1, argc, argv);
+}
+
+DEFUN(gtp_echo_tx_local_dev, gtp_echo_tx_local_dev_cmd,
+      "gtp1u-echo send to " VTY_IPV46_CMD " local-dev DEV_NAME",
+      GTP_ECHO_TX_STR
+      "Send from local GTP device, chosen by name as configured in 'dev create' or 'dev use'.\n"
+      "A GTP device name as it appears in the cfg\n")
+{
+	return _gtp_echo_tx(vty, 2, argc, argv);
+}
+
 void upf_vty_init()
 {
 	OSMO_ASSERT(g_upf != NULL);
@@ -491,6 +595,9 @@ void upf_vty_init()
 	install_element_ve(&show_session_cmd);
 	install_element_ve(&show_netinst_cmd);
 	install_element_ve(&show_nft_rule_append_cmd);
+	install_element_ve(&gtp_echo_tx_cmd);
+	install_element_ve(&gtp_echo_tx_local_ip_cmd);
+	install_element_ve(&gtp_echo_tx_local_dev_cmd);
 
 	install_node(&cfg_pfcp_node, config_write_pfcp);
 	install_element(CONFIG_NODE, &cfg_pfcp_cmd);

tests/Makefile.am

@@ -1,3 +1,7 @@
+SUBDIRS = \
+	unique_ids \
+	$(NULL)
+
 # The `:;' works around a Bash 3.2 bug when the output is not writeable.
 $(srcdir)/package.m4: $(top_srcdir)/configure.ac
 	:;{ \
@@ -17,7 +21,7 @@ $(srcdir)/package.m4: $(top_srcdir)/configure.ac
              } >'$(srcdir)/package.m4'
 
 EXTRA_DIST = \
-	upf.vty \
+	$(srcdir)/*.vty \
 	testsuite.at \
 	$(srcdir)/package.m4 \
 	$(TESTSUITE) \

tests/gtp-echo.vty

@@ -0,0 +1,42 @@
+OsmoUPF> list
+...
+  gtp1u-echo send to (A.B.C.D|X:X::X:X)
+  gtp1u-echo send to (A.B.C.D|X:X::X:X) local-ip (A.B.C.D|X:X::X:X)
+  gtp1u-echo send to (A.B.C.D|X:X::X:X) local-dev DEV_NAME
+...
+OsmoUPF> enable
+OsmoUPF# list
+...
+  gtp1u-echo send to (A.B.C.D|X:X::X:X)
+  gtp1u-echo send to (A.B.C.D|X:X::X:X) local-ip (A.B.C.D|X:X::X:X)
+  gtp1u-echo send to (A.B.C.D|X:X::X:X) local-dev DEV_NAME
+...
+OsmoUPF# configure terminal
+OsmoUPF(config)# list
+... !gtp1u-echo
+OsmoUPF(config)# end
+
+OsmoUPF# gtp1u-echo?
+  gtp1u-echo  GTP1-U Echo probing
+OsmoUPF# gtp1u-echo ?
+  send  Send a GTP1-U Echo Request to a remote peer
+OsmoUPF# gtp1u-echo send ?
+  to  Send to remote peer's GTP address
+OsmoUPF# gtp1u-echo send to ?
+  A.B.C.D   IPv4 address
+  X:X::X:X  IPv6 address
+OsmoUPF# gtp1u-echo send to 1.2.3.4 ?
+  local-ip   Send from local GTP device, chosen by IP address
+  local-dev  Send from local GTP device, chosen by name as configured in 'dev create' or 'dev use'.
+  <cr>       
+OsmoUPF# gtp1u-echo send to 1.2.3.4 local-ip ?
+  A.B.C.D   IPv4 address
+  X:X::X:X  IPv6 address
+OsmoUPF# gtp1u-echo send to 1.2.3.4 local-dev ?
+  DEV_NAME  A GTP device name as it appears in the cfg
+OsmoUPF# gtp1u-echo send to 1.2.3.4
+% Error: cannot send Echo: there is no GTP device
+OsmoUPF# gtp1u-echo send to 1.2.3.4 local-ip 1.2.3.4
+% Error: cannot send Echo: this does not seem to be a locally bound GTP address: 1.2.3.4:2152
+OsmoUPF# gtp1u-echo send to 1.2.3.4 local-dev apn0
+% Error: cannot send Echo: there is no GTP device by the name of 'apn0'

tests/nft-rule.vty

@@ -18,13 +18,13 @@ add rule inet osmo-upf post meta mark vmap @tunmap-post;
 add chain inet osmo-upf tunmap-pre-123;
 add rule inet osmo-upf tunmap-pre-123 ip daddr set 3.3.3.3 meta mark set 123 counter accept;
 add chain inet osmo-upf tunmap-post-123;
-add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.3 @ih,32,32 set 0x302 counter accept;
+add rule inet osmo-upf tunmap-post-123 ip saddr set 2.2.2.3 udp sport set 2152 @ih,32,32 set 0x302 counter accept;
 add element inet osmo-upf tunmap-pre { 2.2.2.1 . 0x201 : jump tunmap-pre-123 };
 add element inet osmo-upf tunmap-post { 123 : jump tunmap-post-123 };
 add chain inet osmo-upf tunmap-pre-321;
 add rule inet osmo-upf tunmap-pre-321 ip daddr set 1.1.1.1 meta mark set 321 counter accept;
 add chain inet osmo-upf tunmap-post-321;
-add rule inet osmo-upf tunmap-post-321 ip saddr set 2.2.2.1 @ih,32,32 set 0x102 counter accept;
+add rule inet osmo-upf tunmap-post-321 ip saddr set 2.2.2.1 udp sport set 2152 @ih,32,32 set 0x102 counter accept;
 add element inet osmo-upf tunmap-pre { 2.2.2.3 . 0x203 : jump tunmap-pre-321 };
 add element inet osmo-upf tunmap-post { 321 : jump tunmap-post-321 };
 

tests/testsuite.at

@@ -1,2 +1,9 @@
 AT_INIT
 AT_BANNER([Regression tests.])
+
+AT_SETUP([unique_ids_test])
+AT_KEYWORDS([unique_ids_test])
+cat $abs_srcdir/unique_ids/unique_ids_test.ok > expout
+cat $abs_srcdir/unique_ids/unique_ids_test.err > experr
+AT_CHECK([$abs_top_builddir/tests/unique_ids/unique_ids_test], [], [expout], [experr])
+AT_CLEANUP

tests/unique_ids/Makefile.am

@@ -0,0 +1,41 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	$(NULL)
+
+AM_CFLAGS = \
+	-Wall \
+	$(LIBOSMOCORE_CFLAGS) \
+	$(LIBOSMOVTY_CFLAGS) \
+	$(LIBOSMOCTRL_CFLAGS) \
+	$(LIBOSMOGTLV_CFLAGS) \
+	$(LIBOSMOPFCP_CFLAGS) \
+	$(LIBGTPNL_CFLAGS) \
+	$(LIBNFTNL_CFLAGS) \
+	$(LIBNFTABLES_CFLAGS) \
+	$(COVERAGE_CFLAGS) \
+	$(NULL)
+
+EXTRA_DIST = \
+	unique_ids_test.ok \
+	unique_ids_test.err \
+	$(NULL)
+
+check_PROGRAMS = \
+	unique_ids_test \
+	$(NULL)
+
+unique_ids_test_SOURCES = \
+	unique_ids_test.c \
+	$(NULL)
+
+unique_ids_test_LDADD = \
+	$(top_builddir)/src/osmo-upf/libupf.la \
+	$(NULL)
+
+unique_ids_test_LDFLAGS = \
+	-no-install \
+	$(NULL)
+
+.PHONY: update_exp
+update_exp:
+	$(builddir)/unique_ids_test >$(srcdir)/unique_ids_test.ok 2>$(srcdir)/unique_ids_test.err

tests/unique_ids/unique_ids_test.c

@@ -0,0 +1,575 @@
+/* OsmoUPF: Verify that skipping used ids works for: UP-SEID, GTP local TEID, nft ruleset chain_id. */
+
+/* (C) 2023 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ *
+ * All Rights Reserved
+ *
+ * Author: Neels Hofmeyr <nhofmeyr@sysmocom.de>
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <getopt.h>
+
+#include <nftables/libnftables.h>
+
+#include <osmocom/core/sockaddr_str.h>
+#include <osmocom/core/application.h>
+
+#include <osmocom/pfcp/pfcp_endpoint.h>
+
+#include <osmocom/upf/upf.h>
+#include <osmocom/upf/netinst.h>
+#include <osmocom/upf/up_endpoint.h>
+#include <osmocom/upf/up_peer.h>
+#include <osmocom/upf/up_session.h>
+#include <osmocom/upf/up_gtp_action.h>
+
+#define log(FMT, ARGS...) fprintf(stderr, FMT, ##ARGS)
+#define log_assert(COND) do { \
+		log("assert(" #COND ")\n"); \
+		OSMO_ASSERT(COND); \
+	} while (0)
+
+#define log_assert_expect_failure(COND) do { \
+		log("assert(" #COND ") <-- EXPECTED TO FAIL (known error)\n"); \
+		OSMO_ASSERT(!(COND)); \
+	} while (0)
+
+
+void *main_ctx;
+void *ctx;
+
+/* The override of osmo_pfcp_endpoint_tx() stores any Session Establishment Response's UP-SEID here, so that this test
+ * can reference specific sessions later.
+ */
+uint64_t last_up_seid = 0;
+
+void select_poll(void)
+{
+	while (osmo_select_main_ctx(1));
+}
+
+static void setup(const char *name)
+{
+	log("\n===== START of %s\n", name);
+	ctx = talloc_named_const(main_ctx, 0, name);
+	g_upf_alloc(ctx);
+	osmo_talloc_replace_string(g_upf, &g_upf->pfcp.vty_cfg.local_addr, "1.1.1.1");
+
+	OSMO_ASSERT(netinst_add(g_upf, &g_upf->netinst, "default", "1.1.1.1", NULL));
+
+	/* PFCP endpoint recovery timestamp overridden by time() below */
+	upf_pfcp_init();
+	/* but do not upf_pfcp_listen() */
+
+	upf_nft_init();
+
+	select_poll();
+	log("\n");
+}
+
+static void cleanup(void)
+{
+	up_endpoint_free(&g_upf->pfcp.ep);
+	upf_gtp_devs_close();
+
+	upf_gtp_genl_close();
+
+	upf_nft_free();
+
+	log("\n===== END of %s\n", talloc_get_name(ctx));
+	talloc_free(ctx);
+}
+
+static struct osmo_sockaddr *str2addr(const char *addr, uint16_t port)
+{
+	static struct osmo_sockaddr osa;
+	struct osmo_sockaddr_str str;
+	osmo_sockaddr_str_from_str(&str, addr, port);
+	osmo_sockaddr_str_to_sockaddr(&str, &osa.u.sas);
+	return &osa;
+}
+
+static struct up_peer *have_peer(const char *remote_addr, uint16_t port)
+{
+	return up_peer_find_or_add(g_upf->pfcp.ep, str2addr(remote_addr, port));
+}
+
+static struct osmo_pfcp_msg *new_pfcp_msg_for_osmo_upf_rx(struct up_peer *from_peer, enum osmo_pfcp_message_type msg_type)
+{
+	/* pfcp_endpoint discards received messages immediately after dispatching; in this test, allocate them in
+	 * OTC_SELECT so they get discarded on the next select_poll().
+	 * osmo_pfcp_msg_alloc_rx() is not useful here, it creates a blank struct to be decoded from raw data; instead,
+	 * use osmo_pfcp_msg_alloc_tx_req() which properly sets up the internal structures to match the given msg_type,
+	 * and when that is done set m->rx = true to indicate it is a message received by osmo-upf. */
+	struct osmo_pfcp_msg *m = osmo_pfcp_msg_alloc_tx_req(OTC_SELECT, &from_peer->remote_addr, msg_type);
+	m->rx = true;
+	return m;
+}
+
+static void peer_assoc(struct up_peer *peer)
+{
+	struct osmo_pfcp_msg *m = new_pfcp_msg_for_osmo_upf_rx(peer, OSMO_PFCP_MSGT_ASSOC_SETUP_REQ);
+	m->ies.assoc_setup_req.recovery_time_stamp = 1234;
+	osmo_fsm_inst_dispatch(peer->fi, UP_PEER_EV_RX_ASSOC_SETUP_REQ, m);
+	select_poll();
+}
+
+static int next_teid = 0x100;
+static int next_cp_seid = 0x100;
+
+/* Send a PFCP Session Establishment Request, and return the created session */
+static struct up_session *session_est_tunmap(struct up_peer *peer)
+{
+	struct osmo_pfcp_msg *m;
+
+	struct osmo_pfcp_ie_f_seid cp_f_seid;
+
+	struct osmo_pfcp_ie_f_teid f_teid_access_local;
+	struct osmo_pfcp_ie_outer_header_creation ohc_access;
+
+	struct osmo_pfcp_ie_f_teid f_teid_core_local;
+	struct osmo_pfcp_ie_outer_header_creation ohc_core;
+
+	struct osmo_pfcp_ie_apply_action aa = {};
+
+	osmo_pfcp_bits_set(aa.bits, OSMO_PFCP_APPLY_ACTION_FORW, true);
+
+	f_teid_access_local = (struct osmo_pfcp_ie_f_teid){
+		.choose_flag = true,
+		.choose = {
+			.ipv4_addr = true,
+		},
+	};
+
+	ohc_access = (struct osmo_pfcp_ie_outer_header_creation){
+		.teid_present = true,
+		.teid = next_teid++,
+		.ip_addr = {
+			.v4_present = true,
+			.v4 = *str2addr("5.6.7.8", 0),
+		},
+	};
+	osmo_pfcp_bits_set(ohc_access.desc_bits, OSMO_PFCP_OUTER_HEADER_CREATION_GTP_U_UDP_IPV4, true);
+
+	f_teid_core_local = (struct osmo_pfcp_ie_f_teid){
+		.choose_flag = true,
+		.choose = {
+			.ipv4_addr = true,
+		},
+	};
+
+	ohc_core = (struct osmo_pfcp_ie_outer_header_creation){
+		.teid_present = true,
+		.teid = next_teid++,
+		.ip_addr = {
+			.v4_present = true,
+			.v4 = *str2addr("13.14.15.16", 0),
+		},
+	};
+	osmo_pfcp_bits_set(ohc_core.desc_bits, OSMO_PFCP_OUTER_HEADER_CREATION_GTP_U_UDP_IPV4, true);
+
+	cp_f_seid = (struct osmo_pfcp_ie_f_seid){
+		.seid = next_cp_seid++,
+	};
+	osmo_pfcp_ip_addrs_set(&cp_f_seid.ip_addr, osmo_pfcp_endpoint_get_local_addr(g_upf->pfcp.ep->pfcp_ep));
+
+	m = new_pfcp_msg_for_osmo_upf_rx(peer, OSMO_PFCP_MSGT_SESSION_EST_REQ);
+	m->h.seid_present = true;
+	m->h.seid = 0;
+	/* GTP tunmap: remove header from both directions, and add header in both directions */
+	m->ies.session_est_req = (struct osmo_pfcp_msg_session_est_req){
+		.node_id = m->ies.session_est_req.node_id,
+		.cp_f_seid_present = true,
+		.cp_f_seid = cp_f_seid,
+		.create_pdr_count = 2,
+		.create_pdr = {
+			{
+				.pdr_id = 1,
+				.precedence = 255,
+				.pdi = {
+					.source_iface = OSMO_PFCP_SOURCE_IFACE_CORE,
+					.local_f_teid_present = true,
+					.local_f_teid = f_teid_core_local,
+				},
+				.outer_header_removal_present = true,
+				.outer_header_removal = {
+					.desc = OSMO_PFCP_OUTER_HEADER_REMOVAL_GTP_U_UDP_IPV4,
+				},
+				.far_id_present = true,
+				.far_id = 1,
+			},
+			{
+				.pdr_id = 2,
+				.precedence = 255,
+				.pdi = {
+					.source_iface = OSMO_PFCP_SOURCE_IFACE_ACCESS,
+					.local_f_teid_present = true,
+					.local_f_teid = f_teid_access_local,
+				},
+				.outer_header_removal_present = true,
+				.outer_header_removal = {
+					.desc = OSMO_PFCP_OUTER_HEADER_REMOVAL_GTP_U_UDP_IPV4,
+				},
+				.far_id_present = true,
+				.far_id = 2,
+			},
+		},
+		.create_far_count = 2,
+		.create_far = {
+			{
+				.far_id = 1,
+				.forw_params_present = true,
+				.forw_params = {
+					.destination_iface = OSMO_PFCP_DEST_IFACE_ACCESS,
+					.outer_header_creation_present = true,
+					.outer_header_creation = ohc_access,
+				},
+				.apply_action = aa,
+			},
+			{
+				.far_id = 2,
+				.forw_params_present = true,
+				.forw_params = {
+					.destination_iface = OSMO_PFCP_DEST_IFACE_CORE,
+					.outer_header_creation_present = true,
+					.outer_header_creation = ohc_core,
+				},
+				.apply_action = aa,
+			},
+		},
+	};
+
+	osmo_fsm_inst_dispatch(peer->fi, UP_PEER_EV_RX_SESSION_EST_REQ, m);
+	select_poll();
+
+	return up_session_find_by_up_seid(peer, last_up_seid);
+}
+
+static void session_del(struct up_session *session)
+{
+	struct osmo_pfcp_msg *m;
+
+	log_assert(session);
+
+	m = new_pfcp_msg_for_osmo_upf_rx(session->up_peer, OSMO_PFCP_MSGT_SESSION_DEL_REQ);
+	m->h.seid_present = true;
+	m->h.seid = session->up_seid;
+
+	osmo_fsm_inst_dispatch(session->fi, UP_SESSION_EV_RX_SESSION_DEL_REQ, m);
+	select_poll();
+}
+
+static void dump_state(void)
+{
+	struct up_peer *peer;
+	log("\n state:\n");
+	llist_for_each_entry(peer, &g_upf->pfcp.ep->peers, entry) {
+		struct up_session *session;
+		int bkt;
+		log(" | peer %s %s\n", peer->fi->name, osmo_fsm_inst_state_name(peer->fi));
+		hash_for_each(peer->sessions_by_up_seid, bkt, session, node_by_up_seid) {
+			struct up_gtp_action *a;
+			llist_for_each_entry(a, &session->active_gtp_actions, entry) {
+				if (a->kind != UP_GTP_U_TUNMAP)
+					continue;
+				log(" |  session[%s]: UP-SEID 0x%"PRIx64"; chain_id access=%u core=%u;"
+				    " local TEID access=0x%x core=0x%x\n",
+				       osmo_fsm_inst_state_name(session->fi),
+				       session->up_seid,
+				       a->tunmap.access.chain_id, a->tunmap.core.chain_id,
+				       a->tunmap.access.tun.local.teid, a->tunmap.core.tun.local.teid);
+			}
+		}
+	}
+	log("\n");
+}
+
+static void test_skip_used_id(void)
+{
+	struct up_peer *peer;
+	struct up_session *s1;
+	uint64_t s1_up_seid;
+	struct up_session *s2;
+	struct up_session *s3;
+	struct up_session *s4;
+	struct up_gtp_action *a;
+
+	setup(__func__);
+
+	log("PFCP Associate peer\n");
+	peer = have_peer("1.2.3.4", 1234);
+	peer_assoc(peer);
+	dump_state();
+
+	/* Make sure to start out all IDs with 1 */
+	g_upf->pfcp.ep->next_up_seid_state = 0;
+	g_upf->gtp.next_local_teid_state = 0;
+	g_upf->tunmap.next_chain_id_state = 0;
+
+	log("set up tunmap, which assigns first UP-SEID 0x1, local-TEID 0x1 and 0x2, chain_ids 1 and 2\n");
+	s1 = session_est_tunmap(peer);
+	dump_state();
+
+	log_assert(s1->up_seid == 1);
+	a = llist_first_entry_or_null(&s1->active_gtp_actions, struct up_gtp_action, entry);
+	log_assert(a);
+	log_assert(a->kind == UP_GTP_U_TUNMAP);
+	log_assert(a->tunmap.core.tun.local.teid == 1);
+	log_assert(a->tunmap.access.tun.local.teid == 2);
+	log_assert(a->tunmap.access.chain_id == 1);
+	log_assert(a->tunmap.core.chain_id == 2);
+	log("\n");
+
+	log("simulate wrapping of IDs back to 1\n");
+	g_upf->pfcp.ep->next_up_seid_state = 0;
+	g_upf->gtp.next_local_teid_state = 0;
+	g_upf->tunmap.next_chain_id_state = 0;
+
+	log("set up second tunmap, should use distinct IDs\n");
+	s2 = session_est_tunmap(peer);
+	dump_state();
+
+	log_assert(s2->up_seid == 2);
+	a = llist_first_entry_or_null(&s2->active_gtp_actions, struct up_gtp_action, entry);
+	log_assert(a);
+	log_assert(a->kind == UP_GTP_U_TUNMAP);
+	log_assert(a->tunmap.core.tun.local.teid == 3);
+	log_assert(a->tunmap.access.tun.local.teid == 4);
+	log_assert(a->tunmap.access.chain_id == 3);
+	log_assert(a->tunmap.core.chain_id == 4);
+	log("\n");
+
+	log("drop first tunmap (%s)\n", s1->fi->name);
+	s1_up_seid = s1->up_seid;
+	session_del(s1);
+	dump_state();
+	log_assert(up_session_find_by_up_seid(peer, s1_up_seid) == NULL);
+	log("\n");
+
+	log("again wrap all ID state back to 1\n");
+	g_upf->pfcp.ep->next_up_seid_state = 0;
+	g_upf->gtp.next_local_teid_state = 0;
+	g_upf->tunmap.next_chain_id_state = 0;
+
+	log("set up third tunmap, should now re-use same IDs as the first session\n");
+	s3 = session_est_tunmap(peer);
+	dump_state();
+
+	log_assert(s3->up_seid == 1);
+	a = llist_first_entry_or_null(&s3->active_gtp_actions, struct up_gtp_action, entry);
+	log_assert(a);
+	log_assert(a->kind == UP_GTP_U_TUNMAP);
+	log_assert(a->tunmap.core.tun.local.teid == 1);
+	log_assert(a->tunmap.access.tun.local.teid == 2);
+	log_assert(a->tunmap.access.chain_id == 1);
+	log_assert(a->tunmap.core.chain_id == 2);
+	log("\n");
+
+	log("set up 4th tunmap; chain_id state would use 3 and 4, but they are in use, so should assign 5 and 6\n");
+	s4 = session_est_tunmap(peer);
+	dump_state();
+
+	log_assert(s4->up_seid == 3);
+	a = llist_first_entry_or_null(&s4->active_gtp_actions, struct up_gtp_action, entry);
+	log_assert(a);
+	log_assert(a->kind == UP_GTP_U_TUNMAP);
+	log_assert(a->tunmap.core.tun.local.teid == 5);
+	log_assert(a->tunmap.access.tun.local.teid == 6);
+	log_assert(a->tunmap.access.chain_id == 5);
+	log_assert(a->tunmap.core.chain_id == 6);
+	log("\n");
+
+	cleanup();
+}
+
+static const struct log_info_cat test_default_categories[] = {
+	[DREF] = {
+		.name = "DREF",
+		.description = "Reference Counting",
+		.enabled = 1, .loglevel = LOGL_DEBUG,
+		.color = OSMO_LOGCOLOR_DARKGREY,
+	},
+	[DPEER] = {
+		.name = "DPEER",
+		.description = "PFCP peer association",
+		.enabled = 1, .loglevel = LOGL_DEBUG,
+		.color = OSMO_LOGCOLOR_YELLOW,
+	},
+	[DSESSION] = {
+		.name = "DSESSION",
+		.description = "PFCP sessions",
+		.enabled = 1, .loglevel = LOGL_DEBUG,
+		.color = OSMO_LOGCOLOR_BLUE,
+	},
+	[DGTP] = {
+		.name = "DGTP",
+		.description = "GTP tunneling",
+		.enabled = 1, .loglevel = LOGL_DEBUG,
+		.color = OSMO_LOGCOLOR_PURPLE,
+	},
+	[DNFT] = {
+		.name = "DNFT",
+		.description = "GTP forwarding rules via linux netfilter",
+		.enabled = 1, .loglevel = LOGL_DEBUG,
+		.color = OSMO_LOGCOLOR_PURPLE,
+	},
+};
+
+const struct log_info log_info = {
+	.cat = test_default_categories,
+	.num_cat = ARRAY_SIZE(test_default_categories),
+};
+
+static struct {
+	bool verbose;
+} cmdline_opts = {
+	.verbose = false,
+};
+
+static void print_help(const char *program)
+{
+	printf("Usage:\n"
+	       "  %s [-v]\n"
+	       "Options:\n"
+	       "  -h --help      show this text.\n"
+	       "  -v --verbose   print source file and line numbers\n",
+	       program
+	       );
+}
+
+static void handle_options(int argc, char **argv)
+{
+	while (1) {
+		int option_index = 0, c;
+		static struct option long_options[] = {
+			{"help", 0, 0, 'h'},
+			{"verbose", 1, 0, 'v'},
+			{0, 0, 0, 0}
+		};
+
+		c = getopt_long(argc, argv, "hv",
+				long_options, &option_index);
+		if (c == -1)
+			break;
+
+		switch (c) {
+		case 'h':
+			print_help(argv[0]);
+			exit(0);
+		case 'v':
+			cmdline_opts.verbose = true;
+			break;
+		default:
+			/* catch unknown options *as well as* missing arguments. */
+			fprintf(stderr, "Error in command line options. Exiting.\n");
+			exit(-1);
+			break;
+		}
+	}
+}
+
+int main(int argc, char **argv)
+{
+	handle_options(argc, argv);
+
+	main_ctx = talloc_named_const(NULL, 0, "main");
+
+	msgb_talloc_ctx_init(main_ctx, 0);
+
+	osmo_fsm_set_dealloc_ctx(OTC_SELECT);
+
+	osmo_init_logging2(main_ctx, &log_info);
+	log_set_print_category_hex(osmo_stderr_target, 0);
+	log_set_print_category(osmo_stderr_target, 1);
+	log_set_print_level(osmo_stderr_target, 1);
+	log_set_print_timestamp(osmo_stderr_target, 0);
+	log_set_print_extended_timestamp(osmo_stderr_target, 0);
+	log_set_all_filter(osmo_stderr_target, 1);
+
+	if (cmdline_opts.verbose) {
+		log_set_print_filename2(osmo_stderr_target, LOG_FILENAME_BASENAME);
+		log_set_print_filename_pos(osmo_stderr_target, LOG_FILENAME_POS_LINE_END);
+		log_set_use_color(osmo_stderr_target, 1);
+	} else {
+		log_set_print_filename2(osmo_stderr_target, LOG_FILENAME_NONE);
+		log_set_use_color(osmo_stderr_target, 0);
+	}
+
+	osmo_fsm_log_timeouts(true);
+	osmo_fsm_log_addr(false);
+
+	/* actual tests */
+	test_skip_used_id();
+
+	log_fini();
+	talloc_free(main_ctx);
+	return 0;
+}
+
+/* overrides */
+
+int osmo_pfcp_endpoint_tx(struct osmo_pfcp_endpoint *ep, struct osmo_pfcp_msg *m)
+{
+	enum osmo_pfcp_cause *cause;
+
+	log("\n[test override] PFCP tx:\n%s\n\n", osmo_pfcp_msg_to_str_c(OTC_SELECT, m));
+
+	last_up_seid = 0;
+
+	cause = osmo_pfcp_msg_cause(m);
+	switch (m->h.message_type) {
+	case OSMO_PFCP_MSGT_SESSION_EST_RESP:
+		if (*cause == OSMO_PFCP_CAUSE_REQUEST_ACCEPTED) {
+			last_up_seid = m->ies.session_est_resp.up_f_seid.seid;
+			log("osmo-upf created session 0x%"PRIx64"\n\n", last_up_seid);
+		}
+		break;
+	default:
+		break;
+	};
+	osmo_pfcp_msg_free(m);
+	return 0;
+}
+
+static void *fake_nft_ctx = (void *)0x1;
+
+struct nft_ctx *nft_ctx_new(uint32_t flags)
+{
+	log("[test override] %s()\n", __func__);
+	return fake_nft_ctx;
+}
+
+void nft_ctx_free(struct nft_ctx *ctx)
+{
+	log("[test override] %s()\n", __func__);
+	log_assert(ctx == fake_nft_ctx);
+}
+
+int nft_run_cmd_from_buffer(struct nft_ctx *nft, const char *buf)
+{
+	log("\n[test override] %s():\n%s\n", __func__, buf);
+	return 0;
+}
+
+/* for deterministic recovery_time_stamp */
+time_t time(time_t *tloc)
+{
+	log("[test override] %s()\n", __func__);
+	return 0;
+}

tests/unique_ids/unique_ids_test.err

@@ -0,0 +1,436 @@
+
+===== START of test_skip_used_id
+[test override] time()
+[test override] time()
+DLPFCP NOTICE PFCP endpoint: recovery timestamp = 0x83aa7e80 (0 seconds since UNIX epoch, which is 2208988800 seconds since NTP era 0; IETF RFC 5905)
+[test override] nft_ctx_new()
+
+[test override] nft_run_cmd_from_buffer():
+add table inet osmo-upf { flags owner; };
+
+DNFT DEBUG ran nft ruleset, 42 chars: "add table inet osmo-upf { flags owner; };\n"
+DNFT NOTICE Created nft table "osmo-upf"
+
+[test override] nft_run_cmd_from_buffer():
+add chain inet osmo-upf pre { type filter hook prerouting priority -300; policy accept; };
+add chain inet osmo-upf post { type filter hook postrouting priority 400; policy accept; };
+add map inet osmo-upf tunmap-pre { typeof ip daddr . @ih,32,32 : verdict; };
+add map inet osmo-upf tunmap-post { typeof meta mark : verdict; };
+add rule inet osmo-upf pre udp dport 2152 ip daddr . @ih,32,32 vmap @tunmap-pre;
+add rule inet osmo-upf post meta mark vmap @tunmap-post;
+
+DNFT DEBUG ran nft ruleset, 465 chars: "add chain inet osmo-upf pre { type filter hook prerouting priority -300; policy accept; };\nadd chain inet osmo-upf post { type filter hook postrouting priority 400; policy accept; };\nadd map inet osmo-upf tunmap-pre { typeof ip daddr . @ih,32,32 : verdict;..."
+
+PFCP Associate peer
+DPEER DEBUG up_peer{NOT_ASSOCIATED}: Allocated
+DPEER DEBUG up_peer(1-2-3-4){NOT_ASSOCIATED}: Updated id
+DPEER DEBUG up_peer(1-2-3-4){NOT_ASSOCIATED}: Received Event UP_PEER_EV_RX_ASSOC_SETUP_REQ
+DPEER DEBUG up_peer(1-2-3-4){NOT_ASSOCIATED}: State change to ASSOCIATED (no timeout)
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: + msg-tx: now used by 1 (msg-tx)
+
+[test override] PFCP tx:
+PFCPv1 ASSOC_SETUP_RESP hdr={seq=0} ies={ 'Node ID'=v4:unsupported family 0 'Cause'=Request accepted (success) 'Recovery Time Stamp'=2208988800 'UP Function Features'=FTUP+BUNDL+RTTL }
+
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 0 (-)
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_USE_COUNT_ZERO
+DPEER NOTICE up_peer(1-2-3-4){ASSOCIATED}: Peer associated, Node-Id=v4:unsupported family 0. Local UP features: [FTUP+BUNDL+RTTL]; Peer CP features: [-]
+
+ state:
+ | peer up_peer(1-2-3-4) ASSOCIATED
+
+set up tunmap, which assigns first UP-SEID 0x1, local-TEID 0x1 and 0x2, chain_ids 1 and 2
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_RX_SESSION_EST_REQ
+DSESSION DEBUG up_session(1-2-3-4){INIT}: Allocated
+DSESSION DEBUG up_session(1-2-3-4){INIT}: is child of up_peer(1-2-3-4)
+DSESSION INFO up_session(1-2-3-4){INIT}: Allocated new UP-SEID: 0x1
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Updated id
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: + msg-rx: now used by 1 (msg-rx)
+DREF INFO up_session(1-2-3-4-0x1){INIT}: + msg-rx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Received Event UP_SESSION_EV_RX_SESSION_EST_REQ
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DREF DEBUG up_session(1-2-3-4-0x1){INIT}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: Allocated new local F-TEID TEID-0x1,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: New PDR-1{src:Core TEID-0x1,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x100,v4:5.6.7.8}
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: Allocated new local F-TEID TEID-0x2,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: New PDR-2{src:Access TEID-0x2,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x101,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Active PDR set:   PDR-2{src:Access TEID-0x2,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x101,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Active PDR set: + PDR-1{src:Core TEID-0x1,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x100,v4:5.6.7.8}
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: GTP actions: 0 previously active; want active: 1
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: want: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: enabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847 (flush count: 1 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+add chain inet osmo-upf tunmap-pre-1;
+add rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;
+add chain inet osmo-upf tunmap-post-1;
+add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x101 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };
+add element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };
+add chain inet osmo-upf tunmap-pre-2;
+add rule inet osmo-upf tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 counter accept;
+add chain inet osmo-upf tunmap-post-2;
+add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x100 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
+add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };
+
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf tunmap-pre-1;\nadd rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1: Enabled tunmap, nft chain IDs: access--1-> <-2--core
+
+[test override] PFCP tx:
+PFCPv1 SESSION_EST_RESP hdr={seq=0 SEID=0x100} ies={ 'Node ID'=v4:unsupported family 0 'Cause'=Request accepted (success) 'F-SEID'=0x1,v4:1.1.1.1 'Created PDR'={ { 'PDR ID'=1 'F-TEID'=TEID-0x1,v4:1.1.1.1 }, { 'PDR ID'=2 'F-TEID'=TEID-0x2,v4:1.1.1.1 } } }
+
+osmo-upf created session 0x1
+
+DREF DEBUG up_session(1-2-3-4-0x1){INIT}: - msg-tx: now used by 1 (msg-rx)
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: State change to ESTABLISHED (no timeout)
+DSESSION NOTICE up_session(1-2-3-4-0x1){ESTABLISHED}: Session established: peer:1.2.3.4 SEID-r:0x100 SEID-l:0x1 state:ESTABLISHED PDR-active:2/2 FAR-active:2/2 GTP-active:1
+DREF INFO up_session(1-2-3-4-0x1){ESTABLISHED}: - msg-rx: now used by 0 (-)
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Received Event UP_SESSION_EV_USE_COUNT_ZERO
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-rx: now used by 0 (-)
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_USE_COUNT_ZERO
+
+ state:
+ | peer up_peer(1-2-3-4) ASSOCIATED
+ |  session[ESTABLISHED]: UP-SEID 0x1; chain_id access=1 core=2; local TEID access=0x2 core=0x1
+
+assert(s1->up_seid == 1)
+assert(a)
+assert(a->kind == UP_GTP_U_TUNMAP)
+assert(a->tunmap.core.tun.local.teid == 1)
+assert(a->tunmap.access.tun.local.teid == 2)
+assert(a->tunmap.access.chain_id == 1)
+assert(a->tunmap.core.chain_id == 2)
+
+simulate wrapping of IDs back to 1
+set up second tunmap, should use distinct IDs
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_RX_SESSION_EST_REQ
+DSESSION DEBUG up_session(1-2-3-4){INIT}: Allocated
+DSESSION DEBUG up_session(1-2-3-4){INIT}: is child of up_peer(1-2-3-4)
+DSESSION INFO up_session(1-2-3-4){INIT}: Allocated new UP-SEID: 0x2
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: Updated id
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: + msg-rx: now used by 1 (msg-rx)
+DREF INFO up_session(1-2-3-4-0x2){INIT}: + msg-rx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: Received Event UP_SESSION_EV_RX_SESSION_EST_REQ
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DREF DEBUG up_session(1-2-3-4-0x2){INIT}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DSESSION INFO up_session(1-2-3-4-0x2){INIT}: Allocated new local F-TEID TEID-0x3,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x2){INIT}: New PDR-1{src:Core TEID-0x3,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x102,v4:5.6.7.8}
+DSESSION INFO up_session(1-2-3-4-0x2){INIT}: Allocated new local F-TEID TEID-0x4,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x2){INIT}: New PDR-2{src:Access TEID-0x4,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x103,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: Active PDR set:   PDR-2{src:Access TEID-0x4,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x103,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: Active PDR set: + PDR-1{src:Core TEID-0x3,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x102,v4:5.6.7.8}
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: GTP actions: 0 previously active; want active: 1
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: want: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: enabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847 (flush count: 2 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+add chain inet osmo-upf tunmap-pre-3;
+add rule inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter accept;
+add chain inet osmo-upf tunmap-post-3;
+add rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x103 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 : jump tunmap-pre-3 };
+add element inet osmo-upf tunmap-post { 3 : jump tunmap-post-3 };
+add chain inet osmo-upf tunmap-pre-4;
+add rule inet osmo-upf tunmap-pre-4 ip daddr set 5.6.7.8 meta mark set 4 counter accept;
+add chain inet osmo-upf tunmap-post-4;
+add rule inet osmo-upf tunmap-post-4 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x102 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 : jump tunmap-pre-4 };
+add element inet osmo-upf tunmap-post { 4 : jump tunmap-post-4 };
+
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf tunmap-pre-3;\nadd rule inet osmo-upf tunmap-pre-3 ip daddr set 13.14.15.16 meta mark set 3 counter accept;\nadd chain inet osmo-upf tunmap-post-3;\nadd rule inet osmo-upf tunmap-post-3 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1: Enabled tunmap, nft chain IDs: access--3-> <-4--core
+
+[test override] PFCP tx:
+PFCPv1 SESSION_EST_RESP hdr={seq=0 SEID=0x101} ies={ 'Node ID'=v4:unsupported family 0 'Cause'=Request accepted (success) 'F-SEID'=0x2,v4:1.1.1.1 'Created PDR'={ { 'PDR ID'=1 'F-TEID'=TEID-0x3,v4:1.1.1.1 }, { 'PDR ID'=2 'F-TEID'=TEID-0x4,v4:1.1.1.1 } } }
+
+osmo-upf created session 0x2
+
+DREF DEBUG up_session(1-2-3-4-0x2){INIT}: - msg-tx: now used by 1 (msg-rx)
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x2){INIT}: State change to ESTABLISHED (no timeout)
+DSESSION NOTICE up_session(1-2-3-4-0x2){ESTABLISHED}: Session established: peer:1.2.3.4 SEID-r:0x101 SEID-l:0x2 state:ESTABLISHED PDR-active:2/2 FAR-active:2/2 GTP-active:1
+DREF INFO up_session(1-2-3-4-0x2){ESTABLISHED}: - msg-rx: now used by 0 (-)
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Received Event UP_SESSION_EV_USE_COUNT_ZERO
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-rx: now used by 0 (-)
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_USE_COUNT_ZERO
+
+ state:
+ | peer up_peer(1-2-3-4) ASSOCIATED
+ |  session[ESTABLISHED]: UP-SEID 0x1; chain_id access=1 core=2; local TEID access=0x2 core=0x1
+ |  session[ESTABLISHED]: UP-SEID 0x2; chain_id access=3 core=4; local TEID access=0x4 core=0x3
+
+assert(s2->up_seid == 2)
+assert(a)
+assert(a->kind == UP_GTP_U_TUNMAP)
+assert(a->tunmap.core.tun.local.teid == 3)
+assert(a->tunmap.access.tun.local.teid == 4)
+assert(a->tunmap.access.chain_id == 3)
+assert(a->tunmap.core.chain_id == 4)
+
+drop first tunmap (up_session(1-2-3-4-0x1))
+assert(session)
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Received Event UP_SESSION_EV_RX_SESSION_DEL_REQ
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: + msg-tx: now used by 1 (msg-tx)
+DREF INFO up_session(1-2-3-4-0x1){ESTABLISHED}: + msg-tx: now used by 1 (msg-tx)
+
+[test override] PFCP tx:
+PFCPv1 SESSION_DEL_RESP hdr={seq=0 SEID=0x100} ies={ 'Cause'=Request accepted (success) }
+
+DREF INFO up_session(1-2-3-4-0x1){ESTABLISHED}: - msg-tx: now used by 0 (-)
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Received Event UP_SESSION_EV_USE_COUNT_ZERO
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 0 (-)
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_USE_COUNT_ZERO
+DSESSION NOTICE up_session(1-2-3-4-0x1){ESTABLISHED}: Session releasing: peer:1.2.3.4 SEID-r:0x100 SEID-l:0x1 state:ESTABLISHED PDR-active:2/2 FAR-active:2/2 GTP-active:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381 (flush count: 3 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 };
+delete element inet osmo-upf tunmap-post { 1 };
+delete chain inet osmo-upf tunmap-pre-1;
+delete chain inet osmo-upf tunmap-post-1;
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 };
+delete element inet osmo-upf tunmap-post { 2 };
+delete chain inet osmo-upf tunmap-pre-2;
+delete chain inet osmo-upf tunmap-post-2;
+
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 };\ndelete element inet osmo-upf tunmap-post { 1 };\ndelete chain inet osmo-upf tunmap-pre-1;\ndelete chain inet osmo-upf tunmap-post-1;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 };\ndelete ..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x100 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x101 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1: Disabled tunmap, nft chain IDs: access--1-> <-2--core
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: State change to WAIT_USE_COUNT (no timeout)
+DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: GTP actions: 0 previously active; want active: 0
+DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: Removing from parent up_peer(1-2-3-4)
+DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: GTP actions: 0 previously active; want active: 0
+DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: Freeing instance
+DSESSION DEBUG up_session(1-2-3-4-0x1){WAIT_USE_COUNT}: Deallocated
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_SESSION_TERM
+
+ state:
+ | peer up_peer(1-2-3-4) ASSOCIATED
+ |  session[ESTABLISHED]: UP-SEID 0x2; chain_id access=3 core=4; local TEID access=0x4 core=0x3
+
+assert(up_session_find_by_up_seid(peer, s1_up_seid) == NULL)
+
+again wrap all ID state back to 1
+set up third tunmap, should now re-use same IDs as the first session
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_RX_SESSION_EST_REQ
+DSESSION DEBUG up_session(1-2-3-4){INIT}: Allocated
+DSESSION DEBUG up_session(1-2-3-4){INIT}: is child of up_peer(1-2-3-4)
+DSESSION INFO up_session(1-2-3-4){INIT}: Allocated new UP-SEID: 0x1
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Updated id
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: + msg-rx: now used by 1 (msg-rx)
+DREF INFO up_session(1-2-3-4-0x1){INIT}: + msg-rx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Received Event UP_SESSION_EV_RX_SESSION_EST_REQ
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DREF DEBUG up_session(1-2-3-4-0x1){INIT}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: Allocated new local F-TEID TEID-0x1,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: New PDR-1{src:Core TEID-0x1,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x104,v4:5.6.7.8}
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: Allocated new local F-TEID TEID-0x2,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x1){INIT}: New PDR-2{src:Access TEID-0x2,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x105,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Active PDR set:   PDR-2{src:Access TEID-0x2,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x105,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: Active PDR set: + PDR-1{src:Core TEID-0x1,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x104,v4:5.6.7.8}
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: GTP actions: 0 previously active; want active: 1
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: want: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: enabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847 (flush count: 4 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+add chain inet osmo-upf tunmap-pre-1;
+add rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;
+add chain inet osmo-upf tunmap-post-1;
+add rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x105 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 : jump tunmap-pre-1 };
+add element inet osmo-upf tunmap-post { 1 : jump tunmap-post-1 };
+add chain inet osmo-upf tunmap-pre-2;
+add rule inet osmo-upf tunmap-pre-2 ip daddr set 5.6.7.8 meta mark set 2 counter accept;
+add chain inet osmo-upf tunmap-post-2;
+add rule inet osmo-upf tunmap-post-2 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x104 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 : jump tunmap-pre-2 };
+add element inet osmo-upf tunmap-post { 2 : jump tunmap-post-2 };
+
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf tunmap-pre-1;\nadd rule inet osmo-upf tunmap-pre-1 ip daddr set 13.14.15.16 meta mark set 1 counter accept;\nadd chain inet osmo-upf tunmap-post-1;\nadd rule inet osmo-upf tunmap-post-1 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1: Enabled tunmap, nft chain IDs: access--1-> <-2--core
+
+[test override] PFCP tx:
+PFCPv1 SESSION_EST_RESP hdr={seq=0 SEID=0x102} ies={ 'Node ID'=v4:unsupported family 0 'Cause'=Request accepted (success) 'F-SEID'=0x1,v4:1.1.1.1 'Created PDR'={ { 'PDR ID'=1 'F-TEID'=TEID-0x1,v4:1.1.1.1 }, { 'PDR ID'=2 'F-TEID'=TEID-0x2,v4:1.1.1.1 } } }
+
+osmo-upf created session 0x1
+
+DREF DEBUG up_session(1-2-3-4-0x1){INIT}: - msg-tx: now used by 1 (msg-rx)
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x1){INIT}: State change to ESTABLISHED (no timeout)
+DSESSION NOTICE up_session(1-2-3-4-0x1){ESTABLISHED}: Session established: peer:1.2.3.4 SEID-r:0x102 SEID-l:0x1 state:ESTABLISHED PDR-active:2/2 FAR-active:2/2 GTP-active:1
+DREF INFO up_session(1-2-3-4-0x1){ESTABLISHED}: - msg-rx: now used by 0 (-)
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Received Event UP_SESSION_EV_USE_COUNT_ZERO
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-rx: now used by 0 (-)
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_USE_COUNT_ZERO
+
+ state:
+ | peer up_peer(1-2-3-4) ASSOCIATED
+ |  session[ESTABLISHED]: UP-SEID 0x1; chain_id access=1 core=2; local TEID access=0x2 core=0x1
+ |  session[ESTABLISHED]: UP-SEID 0x2; chain_id access=3 core=4; local TEID access=0x4 core=0x3
+
+assert(s3->up_seid == 1)
+assert(a)
+assert(a->kind == UP_GTP_U_TUNMAP)
+assert(a->tunmap.core.tun.local.teid == 1)
+assert(a->tunmap.access.tun.local.teid == 2)
+assert(a->tunmap.access.chain_id == 1)
+assert(a->tunmap.core.chain_id == 2)
+
+set up 4th tunmap; chain_id state would use 3 and 4, but they are in use, so should assign 5 and 6
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_RX_SESSION_EST_REQ
+DSESSION DEBUG up_session(1-2-3-4){INIT}: Allocated
+DSESSION DEBUG up_session(1-2-3-4){INIT}: is child of up_peer(1-2-3-4)
+DSESSION INFO up_session(1-2-3-4){INIT}: Allocated new UP-SEID: 0x3
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: Updated id
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: + msg-rx: now used by 1 (msg-rx)
+DREF INFO up_session(1-2-3-4-0x3){INIT}: + msg-rx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: Received Event UP_SESSION_EV_RX_SESSION_EST_REQ
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DREF DEBUG up_session(1-2-3-4-0x3){INIT}: + msg-tx: now used by 2 (msg-rx,msg-tx)
+DSESSION INFO up_session(1-2-3-4-0x3){INIT}: Allocated new local F-TEID TEID-0x5,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x3){INIT}: New PDR-1{src:Core TEID-0x5,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x106,v4:5.6.7.8}
+DSESSION INFO up_session(1-2-3-4-0x3){INIT}: Allocated new local F-TEID TEID-0x6,v4:1.1.1.1
+DSESSION INFO up_session(1-2-3-4-0x3){INIT}: New PDR-2{src:Access TEID-0x6,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x107,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: Active PDR set:   PDR-2{src:Access TEID-0x6,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-2{FORW dst:Core,GTP_U_UDP_IPV4,TEID:0x107,v4:13.14.15.16}
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: Active PDR set: + PDR-1{src:Core TEID-0x5,v4:1.1.1.1 decaps-GTP_U_UDP_IPV4} --> FAR-1{FORW dst:Access,GTP_U_UDP_IPV4,TEID:0x106,v4:5.6.7.8}
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: GTP actions: 0 previously active; want active: 1
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: want: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: enabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:847
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:847 (flush count: 5 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+add chain inet osmo-upf tunmap-pre-5;
+add rule inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter accept;
+add chain inet osmo-upf tunmap-post-5;
+add rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x107 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 : jump tunmap-pre-5 };
+add element inet osmo-upf tunmap-post { 5 : jump tunmap-post-5 };
+add chain inet osmo-upf tunmap-pre-6;
+add rule inet osmo-upf tunmap-pre-6 ip daddr set 5.6.7.8 meta mark set 6 counter accept;
+add chain inet osmo-upf tunmap-post-6;
+add rule inet osmo-upf tunmap-post-6 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32 set 0x106 counter accept;
+add element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 : jump tunmap-pre-6 };
+add element inet osmo-upf tunmap-post { 6 : jump tunmap-post-6 };
+
+
+DNFT DEBUG ran nft ruleset, 847 chars: "add chain inet osmo-upf tunmap-pre-5;\nadd rule inet osmo-upf tunmap-pre-5 ip daddr set 13.14.15.16 meta mark set 5 counter accept;\nadd chain inet osmo-upf tunmap-post-5;\nadd rule inet osmo-upf tunmap-post-5 ip saddr set 1.1.1.1 udp sport set 2152 @ih,32,32..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1: Enabled tunmap, nft chain IDs: access--5-> <-6--core
+
+[test override] PFCP tx:
+PFCPv1 SESSION_EST_RESP hdr={seq=0 SEID=0x103} ies={ 'Node ID'=v4:unsupported family 0 'Cause'=Request accepted (success) 'F-SEID'=0x3,v4:1.1.1.1 'Created PDR'={ { 'PDR ID'=1 'F-TEID'=TEID-0x5,v4:1.1.1.1 }, { 'PDR ID'=2 'F-TEID'=TEID-0x6,v4:1.1.1.1 } } }
+
+osmo-upf created session 0x3
+
+DREF DEBUG up_session(1-2-3-4-0x3){INIT}: - msg-tx: now used by 1 (msg-rx)
+DREF DEBUG up_peer(1-2-3-4){ASSOCIATED}: - msg-tx: now used by 1 (msg-rx)
+DSESSION DEBUG up_session(1-2-3-4-0x3){INIT}: State change to ESTABLISHED (no timeout)
+DSESSION NOTICE up_session(1-2-3-4-0x3){ESTABLISHED}: Session established: peer:1.2.3.4 SEID-r:0x103 SEID-l:0x3 state:ESTABLISHED PDR-active:2/2 FAR-active:2/2 GTP-active:1
+DREF INFO up_session(1-2-3-4-0x3){ESTABLISHED}: - msg-rx: now used by 0 (-)
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Received Event UP_SESSION_EV_USE_COUNT_ZERO
+DREF INFO up_peer(1-2-3-4){ASSOCIATED}: - msg-rx: now used by 0 (-)
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Received Event UP_PEER_EV_USE_COUNT_ZERO
+
+ state:
+ | peer up_peer(1-2-3-4) ASSOCIATED
+ |  session[ESTABLISHED]: UP-SEID 0x3; chain_id access=5 core=6; local TEID access=0x6 core=0x5
+ |  session[ESTABLISHED]: UP-SEID 0x1; chain_id access=1 core=2; local TEID access=0x2 core=0x1
+ |  session[ESTABLISHED]: UP-SEID 0x2; chain_id access=3 core=4; local TEID access=0x4 core=0x3
+
+assert(s4->up_seid == 3)
+assert(a)
+assert(a->kind == UP_GTP_U_TUNMAP)
+assert(a->tunmap.core.tun.local.teid == 5)
+assert(a->tunmap.access.tun.local.teid == 6)
+assert(a->tunmap.access.chain_id == 5)
+assert(a->tunmap.core.chain_id == 6)
+
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Terminating (cause = OSMO_FSM_TERM_REGULAR)
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Terminating (cause = OSMO_FSM_TERM_PARENT)
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Removing from parent up_peer(1-2-3-4)
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: GTP actions: 1 previously active; want active: 0
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: active: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: disabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381 (flush count: 6 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 };
+delete element inet osmo-upf tunmap-post { 5 };
+delete chain inet osmo-upf tunmap-pre-5;
+delete chain inet osmo-upf tunmap-post-5;
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 };
+delete element inet osmo-upf tunmap-post { 6 };
+delete chain inet osmo-upf tunmap-pre-6;
+delete chain inet osmo-upf tunmap-post-6;
+
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x6 };\ndelete element inet osmo-upf tunmap-post { 5 };\ndelete chain inet osmo-upf tunmap-pre-5;\ndelete chain inet osmo-upf tunmap-post-5;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x5 };\ndelete ..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x106 GTP-access-l:1.1.1.1 TEID-access-l:0x6 GTP-core-r:13.14.15.16 TEID-core-r:0x107 GTP-core-l:1.1.1.1 TEID-core-l:0x5 PFCP-peer:1.2.3.4 SEID-l:0x3 PDR-access:2 PDR-core:1: Disabled tunmap, nft chain IDs: access--5-> <-6--core
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Freeing instance
+DSESSION DEBUG up_session(1-2-3-4-0x3){ESTABLISHED}: Deallocated
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Terminating (cause = OSMO_FSM_TERM_PARENT)
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Removing from parent up_peer(1-2-3-4)
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: GTP actions: 1 previously active; want active: 0
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: active: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: disabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381 (flush count: 7 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 };
+delete element inet osmo-upf tunmap-post { 1 };
+delete chain inet osmo-upf tunmap-pre-1;
+delete chain inet osmo-upf tunmap-post-1;
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 };
+delete element inet osmo-upf tunmap-post { 2 };
+delete chain inet osmo-upf tunmap-pre-2;
+delete chain inet osmo-upf tunmap-post-2;
+
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x2 };\ndelete element inet osmo-upf tunmap-post { 1 };\ndelete chain inet osmo-upf tunmap-pre-1;\ndelete chain inet osmo-upf tunmap-post-1;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x1 };\ndelete ..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x104 GTP-access-l:1.1.1.1 TEID-access-l:0x2 GTP-core-r:13.14.15.16 TEID-core-r:0x105 GTP-core-l:1.1.1.1 TEID-core-l:0x1 PFCP-peer:1.2.3.4 SEID-l:0x1 PDR-access:2 PDR-core:1: Disabled tunmap, nft chain IDs: access--1-> <-2--core
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Freeing instance
+DSESSION DEBUG up_session(1-2-3-4-0x1){ESTABLISHED}: Deallocated
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Terminating (cause = OSMO_FSM_TERM_PARENT)
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Removing from parent up_peer(1-2-3-4)
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: GTP actions: 1 previously active; want active: 0
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: active: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: disabling: GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1
+DNFT INFO Added NFT ruleset to queue: n:1 strlen:381
+DNFT INFO Flushing NFT ruleset queue: reached max nr of rules: n:1 strlen:381 (flush count: 8 avg rules per flush: 1)
+
+[test override] nft_run_cmd_from_buffer():
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 };
+delete element inet osmo-upf tunmap-post { 3 };
+delete chain inet osmo-upf tunmap-pre-3;
+delete chain inet osmo-upf tunmap-post-3;
+delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 };
+delete element inet osmo-upf tunmap-post { 4 };
+delete chain inet osmo-upf tunmap-pre-4;
+delete chain inet osmo-upf tunmap-post-4;
+
+
+DNFT DEBUG ran nft ruleset, 381 chars: "delete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x4 };\ndelete element inet osmo-upf tunmap-post { 3 };\ndelete chain inet osmo-upf tunmap-pre-3;\ndelete chain inet osmo-upf tunmap-post-3;\ndelete element inet osmo-upf tunmap-pre { 1.1.1.1 . 0x3 };\ndelete ..."
+DGTP NOTICE GTP:tunmap GTP-access-r:5.6.7.8 TEID-access-r:0x102 GTP-access-l:1.1.1.1 TEID-access-l:0x4 GTP-core-r:13.14.15.16 TEID-core-r:0x103 GTP-core-l:1.1.1.1 TEID-core-l:0x3 PFCP-peer:1.2.3.4 SEID-l:0x2 PDR-access:2 PDR-core:1: Disabled tunmap, nft chain IDs: access--3-> <-4--core
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Freeing instance
+DSESSION DEBUG up_session(1-2-3-4-0x2){ESTABLISHED}: Deallocated
+DPEER NOTICE up_peer(1-2-3-4){ASSOCIATED}: Peer removed
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Freeing instance
+DPEER DEBUG up_peer(1-2-3-4){ASSOCIATED}: Deallocated
+[test override] nft_ctx_free()
+assert(ctx == fake_nft_ctx)
+
+===== END of test_skip_used_id