[Chilli] Crazy TCP resets when CoovaChilli is enabled (UAM redirection problem)
david at coova.com
Wed May 4 05:20:08 UTC 2011
Hi, after your change, do you see duplicate packets on the dhcpif interface? What do your iptables rules look l like? My suspicion is that both the kernel and chilli are forwarding packets off of the dhcpif ... In iptables, you should have a DROP for the FORWARD coming in from the dhcpif.
Coova Technologies, LLC
On Apr 27, 2011, at 4:33 PM, Yuh-Rong Leu <yuhrong.leu at gmail.com> wrote:
> I found the root cause of the crazy TCP reset messages.
> In dhcp.c, the dhcp_data_req() function calls dhcp_undoDNAT with the do_reset parameter set to 1 when authstate == DHCP_AUTH_DNAT (at around line# 4074). Therefore, crazy TCP reset messages will be sent inside dhcp_undoDNAT.
> After the code is changed to use 0 for the do_reset parameter when calling dhcp_undoDNAT, the problem goes away, and Web redirection works well with any triggering any URL on any browser.
> Yuh-Rong Leu
> 2011/4/26 Yuh-Rong Leu <yuhrong.leu at gmail.com>
> Web redirection doesn't work stably with my CoovaChilli/OpenWrt box. Here are the test results:
> If the browser home page is set to http://www.google.com:
> - IE9 is seldom redirected to the welcome/login page
> - Chrome 10 is redirected to the welcome/login page most of the time.
> - Firefox 4 is is redirected to the welcome/login page most of the time.
> If the browser home page is set to http://www.microsoft.com:
> - Redirection works quite fine with all kinds of browsers.
> If the browser home page is set to http://www.apple.com or http://www.bing.com:
> - Redirection does not work at all with any browsers.
> Peeking the packets with Wireshark, I found TCP connections are reset several times by CoovaChilli/OpenWrt. And some TCP reset messages sent by CoovaChilli/OpenWrt have insanely large SEQ number. As the attached Wireshard packet capture, which was generated by "telnet 126.96.36.199 80," shows, 5 RST messages were sent, and 4 of them are with Seq=1246334216.
> I believe it's these crazy RST messages that make UAM redirection not work stably. I doubt the RST messages were due to Firwall rules CoovaChilli added to iptables, but I have not been able to figure out where the firewall rules reside.
> Can anyone tell how CoovaChilli manipulates iptables before it sends HTTP 302 Moved Temporarily for UAM redireciton?
> Yuh-Rong Leu
> Chilli mailing list
> Chilli at coova.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chilli