[Chilli] kmod-coova

David Bird david at coova.com
Wed May 12 11:53:05 UTC 2010


You will notice there is also a --with-nfqueue that uses some of the
same code as when used with --with-nfcoova. Queue just takes packets (or
just their headers) from kernel space to user space. Even with only
capturing headers, our tests showed this method to always be slower than
native chilli socket method of capturing complete packets. With the
simple coova specific module instead, there is no need for authenticated
session packets to enter user-space... Authenticated traffic goes
straight though, while unauthenticated traffic is dropped by the kernel
module as chilli will do packet switching (as normal) for that traffic. 

On Wed, 2010-05-12 at 13:25 +0200, Damjan wrote:
> > Been working on a concept for a kernel module for CoovaChilli. With the
> > subversion code, configure with "--with-nfcoova" to have the module
> > built. With the support built in, and the xt_coova module loaded, the
> > idea is that authenticated traffic goes straight through the kernel and
> > unauthorized traffic still goes through chilli user-space - enforcing
> > captive portal and doing the walled garden, etc. xt_coova (which borrows
> > from the 'recent' module) does a simple allow/drop decision based on
> > authentication status. Some specific configurations are needed for this
> > to work. 
> > 
> > The iptables rules might look like this:
> > 
> > iptables -I FORWARD -o eth0 --src 10.0.0.0/8 \
> >   -m coova --name chilli -j ACCEPT
> > iptables -I FORWARD -i eth0 --dst 10.0.0.0/8 \
> >   -m coova --name chilli --dest -j ACCEPT
> > 
> > iptables -I FORWARD --src 11.0.0.0/8 -j ACCEPT
> > iptables -I FORWARD --dst 11.0.0.0/8 -j ACCEPT
> > 
> > (where the assumption is that the default FORWARD rule is to DENY). The
> > idea is that traffic to/from eth0 (WAN) from source 10.0.0.0/8 (the
> > chilli DHCP IP space) is either allowed or dropped by the xt_coova
> > module based on authentication status. The 11.0.0.0/8 network, in this
> > example, is the network chilli has configured for it's uamlisten. 
> 
> Have you considered using something like NF_QUEUE (i.e.
> libnetfilter_queue)
> 
> This is a mechanism with which you can reroute some packets from
> netfilter to userspace. This could maybe simplify the packet capture
> part of chillispot
> 
> 
> http://netfilter.org/projects/libnetfilter_queue/index.html
> 
> 
> > I should mention that when using the kernel module, I have it setup such
> > that the dhcpif (eth1) is actually configured with IP address 10.1.0.1
> > and the same IP is configured in chilli as the 'dhcplisten' (note that
> > typically chilli doesn't want the dhcpif interface configured with an
> > IP). Chilli is then also configured with 'uamlisten' of 11.0.0.1 and
> > this is the IP address that gets assigned to tun0 (so note that
> > dhcplisten and uamlisten are different!). The high level concept is that
> > subscribers get a 10.1.0.0/24 IP address which is routed (when
> > authenticated) through the kernel. Chilli still monitors all traffic on
> > the dhcpif and when users are not authorized yet (i.e. their 10.1.0.0/24
> > address is not being forwarded), then chilli does the routing (after
> > doing a NAT translation from 10.1.0.0/24 to 11.1.0.0/24). 
> > 
> > Thus, chilli basically is only routing unauthorized traffic while
> > authorized traffic goes straight through the kernel. With some testing
> > on open-mesh routers, we have seen this can drastically increase
> > throughput for authenticated users.
> > 
> > With the iptables rules above, here is an example chilli.conf that I
> > have been using:
> > 
> > cat<<EOF>/tmp/chilli.conf
> > net 10.1.0.0/16
> > dynip 10.1.0.0/24
> > statip 10.1.1.0/24
> > 
> > uamlisten 11.1.0.1 
> > dhcplisten 10.1.0.1 
> > dhcpstart 10
> > uamaliasname chilli
> > ipup=
> > ipdown= 
> > 
> > radiusserver1 localhost
> > radiussecret testing123
> > dhcpif eth0
> > dns1 192.168.1.1
> > uamdomain coova.org
> > uamserver http://portal/hotspot
> > uamsecret uamsecret
> > cmdsock /var/run/chilli.sock
> > kname chilli
> > EOF
> > 
> > Give it a try if interested in testing! 
> > 
> > David
> > 
> > 
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> 




More information about the Chilli mailing list