[Chilli] kmod-coova

David Bird david at coova.com
Wed Apr 7 05:10:50 UTC 2010


Been working on a concept for a kernel module for CoovaChilli. With the
subversion code, configure with "--with-nfcoova" to have the module
built. With the support built in, and the xt_coova module loaded, the
idea is that authenticated traffic goes straight through the kernel and
unauthorized traffic still goes through chilli user-space - enforcing
captive portal and doing the walled garden, etc. xt_coova (which borrows
from the 'recent' module) does a simple allow/drop decision based on
authentication status. Some specific configurations are needed for this
to work. 

The iptables rules might look like this:

iptables -I FORWARD -o eth0 --src \
  -m coova --name chilli -j ACCEPT
iptables -I FORWARD -i eth0 --dst \
  -m coova --name chilli --dest -j ACCEPT

iptables -I FORWARD --src -j ACCEPT
iptables -I FORWARD --dst -j ACCEPT

(where the assumption is that the default FORWARD rule is to DENY). The
idea is that traffic to/from eth0 (WAN) from source (the
chilli DHCP IP space) is either allowed or dropped by the xt_coova
module based on authentication status. The network, in this
example, is the network chilli has configured for it's uamlisten. 

I should mention that when using the kernel module, I have it setup such
that the dhcpif (eth1) is actually configured with IP address
and the same IP is configured in chilli as the 'dhcplisten' (note that
typically chilli doesn't want the dhcpif interface configured with an
IP). Chilli is then also configured with 'uamlisten' of and
this is the IP address that gets assigned to tun0 (so note that
dhcplisten and uamlisten are different!). The high level concept is that
subscribers get a IP address which is routed (when
authenticated) through the kernel. Chilli still monitors all traffic on
the dhcpif and when users are not authorized yet (i.e. their
address is not being forwarded), then chilli does the routing (after
doing a NAT translation from to 

Thus, chilli basically is only routing unauthorized traffic while
authorized traffic goes straight through the kernel. With some testing
on open-mesh routers, we have seen this can drastically increase
throughput for authenticated users.

With the iptables rules above, here is an example chilli.conf that I
have been using:


dhcpstart 10
uamaliasname chilli

radiusserver1 localhost
radiussecret testing123
dhcpif eth0
uamdomain coova.org
uamserver http://portal/hotspot
uamsecret uamsecret
cmdsock /var/run/chilli.sock
kname chilli

Give it a try if interested in testing! 


More information about the Chilli mailing list