Help! Chilli accounting for dropped packets

wlan at mac.com wlan at mac.com
Thu May 8 06:21:29 UTC 2008 

Hi Gunther,

The issue is that chilli's _raw_ socket on the dhcpif sees packets  
_before_ the kernel does. This is why you should be dropping all  
input on the dhcpif interface in iptables - because otherwise you  
have chilli _and_ the kernel processing (and potentially forwarding  
the same) packets. So, you can not use iptables to filter traffic  
coming into chilli. As you noted, you _can_ control how packets are  
forwarded through the kernel -- this includes packets chilli is  
forwarding through the tun interface.

As for accounting, it really should be counting (per RFC) data  
received from and sent to the subscriber from the NAS. Meaning, it is  
doing the right thing by counting all packets received and sent to  
the subscriber, even if later dropped by iptables.

I suppose a feature you would like -- and others have mentioned it  
too -- would be something like an "acctignore" option to list out (in  
a uamallowed fashion) networks to not count in accounting. This way  
you can exclude the same ports you are filtering...

David

On May 7, 2008, at 7:42 PM, Gunther Mayer wrote:

> Hi again,
>
> We recently noticed that a very nasty trojan/virus is doing the  
> rounds that uploads a ton of data to the Internet. Since our  
> captive portal charges in data units this becomes a major problem  
> as customers loose their purchased Internet units like water  
> through a sieve. While legally not our problem customers still  
> contact us all the time wondering what happened, demanding refunds  
> and all that jazz.
>
> Tricky part is: we cannot sanely ask them to "quickly" download,  
> install and/or upgrade their anti-virus because either they already  
> have a zero balance or doing so would lose them even more units.  
> It's a catch-22 until we find a way to block those trojans.
>
> I started investigating instead what patterns such abnormal  
> Internet usage follows and managed to block specific instances with  
> custom iptables firewall rules (based on port and/or host specs).  
> One example:
>
> iptables -I FORWARD -p tcp --dport 5000 -j DROP
>
> The problem though is: even though the kernel correctly drops the  
> trojan's packets (verified with iptables -L -vn), chilli somehow  
> still counts them, so I've only solved the smaller part of the  
> problem, making sure that the bogus packets never reach the  
> Internet. The larger part, that of upload accounting going  
> ballistic is still unaddressed. I always thought the kernel would  
> drop them BEFORE chilli gets its hands on them for accounting  
> purposes, but it seems like it does so AFTER.
>
> What can I do, if anything, to make sure that either chilli  
> disregards certain packets or that I get the kernel to drop packets  
> BEFORE chilli gets hold of them?
>
> Gunther
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>

More information about the Chilli mailing list