Home-Routed roaming: during Xn/N2 handover the source gNB may forward
remaining DL data to the core using UL PDU Session Information (PSC).
On the V-UPF the PSC was lost on the indirect path because OHR+OHC
removed the incoming GTP-U header (and its extensions) and we did not
recreate PSC when no QER/QFI was provisioned by the V-SMF.
This change makes the V-UPF rebuild a DL PSC for the target gNB even
when QER is absent, limited to the Access->Access indirect path
(source gNB -> V-UPF -> target gNB).
Why this is needed in HR:
- In HR deployments the V-SMF typically does not provision QER/QFI for
the temporary indirect path. Without recreating PSC from recvhdr, the
extension header disappears after OHR+OHC and the target gNB cannot
see the QFI during handover buffering/forwarding.
When UPF/SGW-U is restarted, missing f_teid_len validation causes an error.
This patch adds checks for f_teid_len > 0 in ogs_pfcp_pdr_swap_teid and
in the SGW-U and N4 handler functions.
Replace unsafe strcpy calls with ogs_cpystrn in both ogs_pfcp_dev_add()
and ogs_pfcp_subnet_add() to ensure proper length checking.
This change prevents potential buffer overflows when handling ifname
and dnn fields, which could otherwise lead to unintended overwrites
(e.g., fd and num_of_range).
This commit introduces robust validation for the F-TEID information element
in the PFCP message handling. Previously, malformed F-TEID values (such as
a zero length, zero TEID, or a TEID exceeding the pool size) could lead
to an assertion failure and crash the UPF.
The changes ensure that:
- The F-TEID length is greater than zero, confirming the IE is present.
- The TEID is a non-zero value, as a valid TEID must be positive.
- The TEID does not exceed the allowed pool size (max_ue * 4 * 16).
If any of these conditions are not met, an error is logged with the F-TEID
length and TEID value, and the function returns an error code
(OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT), preventing further processing
of the malformed message.
Previously, policies were configured via YAML files without MongoDB.
This update enhances the YAML approach by adding the 'supi_range' key to
filter policies based on UE SUPI ranges. When both 'supi_range' and
'plmn_id' are provided, both conditions must be met.
Note that PLMN-ID filtering will be deprecated in a future release.
This commit modifies the message length check in ogs_pfcp_recvfrom.
Previously, the condition only verified that the received size was less than
the expected length, which could allow messages that are too long to be
processed.
The condition now requires an exact match between the received
size and the expected total PFCP message length, ensuring proper message
validation.
This commit adds additional checks in the PFCP receive callback to ensure
that a complete PFCP message is received before parsing. A minimum header
length check and a total message length validation are now performed. This
prevents incomplete, fragmented messages from being processed and avoids
potential parsing errors and DoS conditions.
Each received PFCP message triggered ogs_pfcp_node_find(), causing a DNS
resolution if node_id was FQDN. Under heavy traffic, this could lead to
excessive DNS queries.
- Implement a 300-second refresh interval to avoid repeated DNS lookups.
- Store last_dns_refresh in each node to defer new queries until needed.
- Treat config-based nodes with no Node ID as UNKNOWN, matching them by IP
alone until ogs_pfcp_node_merge() updates their ID.
- Validate IPv4, IPv6, or FQDN types in ogs_pfcp_node_merge() and reject
invalid IDs.
- Provide inline code comments for clarity and maintainability.
- Replace direct usage of OGS_ADDR/OGS_PORT macros with
ogs_sockaddr_to_string_static() for consistent IPv4/IPv6 logging.
- Remove redundant stack buffer allocations for address printing.
- Update PFCP node address handling to use addr_list and related
merges, avoiding obsolete sa_list references.
- Use ogs_pfcp_extract_node_id() and related APIs to safely extract
PFCP Node ID, improving error handling and reducing stack usage.
Created util.h and util.c to implement the ogs_pfcp_get_node_id function,
which retrieves the node_id from a PFCP message. Utilized the
ogs_pfcp_status_e enum for enhanced error handling, distinguishing
between success, absence, and error states.
Modified the `ogs_gtp/pfcp_context_parse_config` function to iterate through
all configured GTP/PFCP server addresses. When a Fully Qualified Domain
Name (FQDN) resolves to multiple IP addresses, the server now binds and
listens on each IP address individually.
These modifications enhance the flexibility and reliability of the GTP/PFCP
server within Open5GS, allowing it to handle multiple network
interfaces and redundant IP configurations as required.
This prevents incorrect restoration behavior by ensuring the TEID is only
swapped when F-TEID.ch is false, indicating the TEID has already been assigned.
- Added support for the N9 For Roaming interface type:
- Core interface act as V-UPF.
- Access interface act as H-UPF.
- Modified V-UPF behavior:
- V-UPF updates only the TEID and IP Address in the GTP-U header.
- The content following the Extension Header is passed through directly
between the UE and H-UPF.
This implementation ensures seamless data flow between the UE, V-UPF, and H-UPF
while maintaining integrity for Home Routed Roaming scenarios.
This field was previously omitted, which could lead to
improper handling of interface-specific logic in certain scenarios.
The addition of the 3GPP Interface Type ensures correct behavior
in compliance with the 3GPP standards for PFCP message handling.
1. Fix SGW-U/UPF bug by comparing QFI only when PDI's QFI is present
Resolved an issue where the QoS Flow Identifier in the GTP-U Extension Header
was incorrectly compared regardless of the presence of PDI's QFI.
Updated the implementation to perform the comparison
only when PDI's QFI is present.
2. Add Outer Header Removal settings to SGW's PDR where necessary
Addressed the absence of Outer Header Removal in the SGW's PDR
by adding it to all required locations, ensuring proper header handling.
3. Remove unnecessary GTP-U Extension Header Removals
Eliminated all instances of GTP-U Extension Header Removal
since they should only be used during handover from 5GS to EPS.
This cleanup prevents improper header removals in other scenarios.
4. Delete unnecessary usage of Network Interface and UE IP Address
Removed all redundant references to Network Interface and UE IP Address,
streamlining the codebase and reducing potential confusion.
5. Change precedence so that Control has higher priority than Data
Adjusted the precedence settings to ensure that Control messages
are given higher priority over Data, enhancing the system's efficiency
and responsiveness.
Implement Control Message handling between V-SMF and H-SMF
during Home Routed Roaming process
Completed the implementation of control messages exchanged
between V-SMF and H-SMF as part of the Home Routed Roaming process
* [UPF/SGW-U] Optimizing data-path (#3306)
In ogs_pfcp_up_handle_pdr, there is a copy operation performed on recvbuf,
which can reduce the sending performance in the data path. Personally,
We believe that this copy operation can be eliminated.
Of course, if it is canceled, the recvbuf does not need to be released again
at the location where ogs_pfcp_up_handle_pdr is called. After testing,
it has indeed shown an improvement in performance of approximately 15-18%.
/*
sendbuf = ogs_pkbuf_copy(recvbuf);
if (!sendbuf) {
ogs_error("ogs_pkbuf_copy() failed");
return false;
}*/
sendbuf = recvbuf;</div>
* update it
The way subnet is set up has changed as shown below.
```
<OLD Format>
smf:
session:
- subnet: 10.45.0.1/16
<NEW Format>
smf:
session:
- subnet: 10.45.0.0/16
gateway: 10.45.0.1
```
For more information, please refer to Pull Request #2975.
'node_timeout' and some other functions can remove a smf_sess_t
while that session is still waiting for a PFCP reply
and has an active PFCP xact.
In this case, xact->data points to the deleted session
and xact's timeout function (sess_5gc_timeout for example)
eventually refers to this already freed session.
This fix prevents duplicate deletes from occurring by checking to see
if the session context has already been deleted when the timeout occurs.
Additionally, it moves session deletions out of timer callbacks into
state machine by reselect_upf().
Due to the way 'ogs_timer_mgr_expire' calls timer callbacks,
one must not stop or expire timers from within a timer callback.
And now one must not remove sessions from within a timer callback.
If eg. PCRF or AAA diameter link is not yet ready (eg. PCRF crashed), and
a client sends a CreateSessionRequest announcing its ow F-TEID,
then open5gs-smfd answers with Create Session Response Cause=
"Remote peer not responding", but it is not setting the received F-TEID
in the header of the response, instead it sends with TEI=0.
As a result, the peer cannot match the CreateSessionResponse, and needs
to rely on its own timeout timer to figure out that specific request failed.
This also happens in PFCP, so to solve this problem, I added teid/seid_presence
to the interface that sends the error message as shown below.
void ogs_gtp2_send_error_message(ogs_gtp_xact_t *xact,
int teid_presence, uint32_t teid, uint8_t type, uint8_t cause_value);
void ogs_pfcp_send_error_message(
ogs_pfcp_xact_t *xact, int seid_presence, uint64_t seid, uint8_t type,
uint8_t cause_value, uint16_t offending_ie_value);
For bi-directions, the rules are created in the same form as for downlink
as shown below, so to apply them for uplink, we need to swap the rules
according to the interface.
RX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
GX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
PFCP : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
RULE : Source <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> Destination <UE_IP> <UE_PORT>
TFT : Local <UE_IP> <UE_PORT> REMOTE <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
RX : permit in from <UE_IP> <UE_PORT> to <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
GX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
PFCP : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
RULE : Source <UE_IP> <UE_PORT> Destination <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
TFT : Local <UE_IP> <UE_PORT> REMOTE <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
As mentioned in the sgwu.yaml configuration file, it is possible to configure multiple addresses with different source_interface values for the gtpu interface.
Following the this section, I defined two addresses, one with source_interface set to 0 and another with source_interface set to 1. My expectation was to see different addresses for the two PDRs in the Session Establishment Response message during session establishment. However, both addresses were the same, and it was the address I had set for source_interface = 0.
When I looked into the code, I found the reason for the issue. In the lib/pfcp/context.c file, on line 1185, the function that determines the address is called as follows:
...
} else {
ogs_gtpu_resource_t *resource = NULL;
resource = ogs_pfcp_find_gtpu_resource(
&ogs_gtp_self()->gtpu_resource_list,
pdr->dnn, OGS_PFCP_INTERFACE_ACCESS);
if (resource) {
...
In the last parameter of this function, a constant value, OGS_PFCP_INTERFACE_ACCESS, is used. This causes every PDR with any source_interface to be considered as "access," and the value 0 is used for its interface.
I replaced the value with pdr->src_if, and the bug was resolved.
