[Chilli] Crazy TCP resets when CoovaChilli is enabled (UAM redirection problem)

David Bird david at coova.com
Wed May 4 05:20:08 UTC 2011 

Hi, after your change, do you see duplicate packets on the dhcpif interface? What do your iptables rules look l like? My suspicion is that both the kernel and chilli are forwarding packets off of the dhcpif ... In iptables, you should have a DROP for the FORWARD coming in from the dhcpif. 

--
  David Bird
  Coova Technologies, LLC

On Apr 27, 2011, at 4:33 PM, Yuh-Rong Leu <yuhrong.leu at gmail.com> wrote:

> I found the root cause of the crazy TCP reset messages.
>  
> In dhcp.c, the dhcp_data_req() function calls dhcp_undoDNAT with the do_reset parameter set to 1 when authstate == DHCP_AUTH_DNAT (at around line# 4074). Therefore, crazy TCP reset messages will be sent inside dhcp_undoDNAT.
>  
> After the code is changed to use 0 for the do_reset  parameter when calling dhcp_undoDNAT, the problem goes away, and Web redirection works well with any triggering any URL on any browser.
>  
> Yuh-Rong Leu
> 
> 
>  
> 2011/4/26 Yuh-Rong Leu <yuhrong.leu at gmail.com>
> Web redirection doesn't work stably with my CoovaChilli/OpenWrt box. Here are the test results:
>  
> If the browser home page is set to http://www.google.com:
> - IE9 is seldom redirected to the welcome/login page
> - Chrome 10 is redirected to the welcome/login page most of the time.
> - Firefox 4 is is redirected to the welcome/login page most of the time.
>  
> If the browser home page is set to http://www.microsoft.com:
> - Redirection works quite fine with all kinds of browsers.
>  
> If the browser home page is set to http://www.apple.com or http://www.bing.com:
> - Redirection does not work at all with any browsers.
>  
> Peeking the packets with Wireshark, I found TCP connections are reset several times by CoovaChilli/OpenWrt. And some TCP reset messages sent by CoovaChilli/OpenWrt have insanely large SEQ number. As the attached Wireshard packet capture, which was generated by "telnet 64.233.183.105 80," shows, 5 RST messages were sent, and 4 of them are with Seq=1246334216.
>  
> I believe it's these crazy RST messages that make UAM redirection not work stably. I doubt the RST messages were due to Firwall rules CoovaChilli added to iptables, but I have not been able to figure out where the firewall rules reside.
>  
> Can anyone tell how CoovaChilli manipulates iptables before it sends HTTP 302 Moved Temporarily for UAM redireciton?
>  
> Yuh-Rong Leu
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20110504/2f0898fe/attachment.html>

More information about the Chilli mailing list