[Chilli] Patch to not account broadcast and multicast traffic

Joerg Mayer jmayer at loplof.de
Tue Oct 18 14:08:06 UTC 2011


On Tue, Oct 18, 2011 at 03:48:16PM +0200, Joerg Mayer wrote:
Please ignore the part in chilli.c, it's not related to the problem.
Only the change to src/dhcp.c is relevant.

Sorry
   Jörg

> Index: src/dhcp.c
> ===================================================================
> --- src/dhcp.c	(revision 452)
> +++ src/dhcp.c	(working copy)
> @@ -3087,6 +3087,7 @@
>    char allowed = 0;
>    char has_ip = 0;
>    char is_dhcp = 0;
> +  char not_valid_unicast = 0;
>  
>    int authstate = 0;
>  
> @@ -3183,8 +3184,22 @@
>      log_dbg("dhcp/bootps request being processed");
>      return dhcp_getreq(this, pack, len);
>    }
> -  
> -  /* 
> +  not_valid_unicast =
> +       /* Multicast */
> +       (pack_iph->daddr & 0xf0000000) == 0xe0000000 ||
> +       /* All 0s broadcast */
> +       pack_iph->daddr == 0 ||
> +       /* All 1s broadcast */
> +       pack_iph->daddr == 0xffffffff ||
> +       /* Net directed broadcast */
> +       pack_iph->daddr == (_options.net.s_addr  | ~_options.mask.s_addr);
> +
> +  if (not_valid_unicast) {
> +    log_dbg("dropping packet; no valid unicast destination");
> +    return 0;
> +  }
> +
> +  /*
>     *  Check to see if we know MAC address
>     */
>    if (!dhcp_hashget(this, &conn, pack_ethh->src)) {
> Index: src/chilli.c
> ===================================================================
> --- src/chilli.c	(revision 452)
> +++ src/chilli.c	(working copy)
> @@ -5052,10 +5047,13 @@
>      if (_options.layer3) {
>        struct ippoolm_t *ipm = 0;
>        struct in_addr addr;
> +      struct in_addr daddr;
>  
>        addr.s_addr = ipph->saddr;
> +      daddr.s_addr = ipph->daddr;
>  
>        if (!addr.s_addr) {
> +printf("from: %s to %s\n", inet_ntoa(addr), inet_ntoa(daddr));
>  	return tun_encaps(tun, pack, len, 0);
>        }
>  
> @@ -5123,6 +5121,16 @@
>         ))
>      return tun_encaps(tun, pack, len, 0);
>    
> +  /*
> +   * Drop if destination is some private IP address - this is to avoid this
> +   * traffic to be accounted - it would get dropped in our FORWARD filter
> +   * anyway.
> +   */
> +  if ((ipph->daddr & 0xff000000) == 0x0a000000 ||
> +      (ipph->daddr & 0xfff00000) == 0xac100000 ||
> +      (ipph->daddr & 0xffff0000) == 0xc0a80000)
> +    return 0;
> +
>    if (appconn->s_state.authenticated == 1) {
>      if (chilli_acct_fromsub(appconn, len))
>        return 0;

> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli


-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.


More information about the Chilli mailing list