4G/ sctp issue combining external enb and internal srsenb container

[Hoernchen]

At least with my setup exposing the ports for using one external srsenb setup with physical phones and internal srsenb_zmq for srsue does not work, because then the srsenb_zmq container can't connect to the mme. The sctp connection gets to the INIT / INIT_ACK stage, and that's it.

Solution:
Docker adds this iptables rule

dev@dev */docker_open5gs   master ±  sudo iptables-save 
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun 21 16:46:02 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [42:2868]
-A POSTROUTING -p sctp -m sctp --sport 36412 -j CHECKSUM --checksum-fill
COMMIT
< .. snip ..>

This rule basically breaks the checksum for internal packets in some weird way. The fix in my case is to just remove that rule, or change it by ensuring it does not apply to traffic targeting the docker subnet.

I just thought I might add this information here in case someone else hits that issue, debugging that was not easy.

See related moby issue moby/moby#47952 and code comment pointing at the kernel commit and reason.

[herlesupreeth]

Thanks @Hoernchen for sharing this information.