[Chilli] Coova-Chilli Multi Tenanency Mode
Russell Mike
radius.sir at gmail.com
Mon Feb 11 08:50:32 UTC 2013
#!/bin/sh
TUNTAP=$(basename $DEV)
UNDO_FILE=/usr/local/var/run/chilli.$TUNTAP.sh
. /usr/local/etc/chilli/functions
[ -e "$UNDO_FILE" ] && sh $UNDO_FILE 2>/dev/null
rm -f $UNDO_FILE 2>/dev/null
ipt() {
opt=$1; shift
echo "iptables -D $*" >> $UNDO_FILE
iptables $opt $*
}
ipt_in() {
ipt -I INPUT -i $TUNTAP $*
}
if [ -n "$TUNTAP" ]
then
# ifconfig $TUNTAP mtu $MTU
if [ "$KNAME" != "" ]
then
ipt -I FORWARD -i $DHCPIF -m coova --name $KNAME -j ACCEPT
ipt -I FORWARD -o $DHCPIF -m coova --name $KNAME --dest -j ACCEPT
ipt -I FORWARD -i $TUNTAP -j ACCEPT
ipt -I FORWARD -o $TUNTAP -j ACCEPT
[ -n "$DHCPLISTEN" ] && ifconfig $DHCPIF $DHCPLISTEN
else
if [ "$LAYER3" != "1" ]
then
[ -n "$UAMPORT" -a "$UAMPORT" != "0" ] && \
ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
[ -n "$UAMUIPORT" -a "$UAMUIPORT" != "0" ] && \
ipt_in -p tcp -m tcp --dport $UAMUIPORT --dst $ADDR -j
ACCEPT
[ -n "$HS_TCP_PORTS" ] && {
for port in $HS_TCP_PORTS; do
ipt_in -p tcp -m tcp --dport $port --dst $ADDR -j ACCEPT
done
}
ipt_in -p udp -d 255.255.255.255 --destination-port 67:68 -j
ACCEPT
ipt_in -p udp -d $ADDR --destination-port 67:68 -j ACCEPT
ipt_in -p udp --dst $ADDR --dport 53 -j ACCEPT
ipt_in -p icmp --dst $ADDR -j ACCEPT
ipt -A INPUT -i $TUNTAP --dst $ADDR -j DROP
if [ "$ONLY8021Q" != "1" ]
then
ipt -I INPUT -i $DHCPIF -j DROP
fi
fi
if [ "$ONLY8021Q" != "1" ]
then
ipt -I FORWARD -i $DHCPIF -j DROP
ipt -I FORWARD -o $DHCPIF -j DROP
fi
ipt -I FORWARD -i $TUNTAP -j ACCEPT
ipt -I FORWARD -o $TUNTAP -j ACCEPT
# Help out conntrack to not get confused
# (stops masquerading from working)
#ipt -I PREROUTING -t raw -j NOTRACK -i $DHCPIF
#ipt -I OUTPUT -t raw -j NOTRACK -o $DHCPIF
# Help out MTU issues with PPPoE or Mesh
ipt -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
ipt -I FORWARD -t mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
[ "$HS_LAN_ACCESS" != "on" -a "$HS_LAN_ACCESS" != "allow" ] && \
ipt -I FORWARD -i $TUNTAP \! -o $HS_WANIF -j DROP
ipt -I FORWARD -i $TUNTAP -o $HS_WANIF -j ACCEPT
[ "$HS_LOCAL_DNS" = "on" ] && \
ipt -I PREROUTING -t nat -i $TUNTAP -p udp --dport 53 -j DNAT
--to-destination $ADDR
fi
fi
# site specific stuff optional
[ -e /usr/local/etc/chilli/ipup.sh ] && . /usr/local/etc/chilli/ipup.sh
*
*
*Mike SAID:*
Dear David B.
First, Thank you very much for showing us correct procedure. And it should
be enough from your side. i am sure this would kill the problem. i am
talking about my self only, not very good in bash and i did not understand
what exactly should be done and which part of the "up.sh" i am humbly
requesting for more help so that i do not make it more worse situation. My
five instances starts like this:
What should be done with my "up.sh" copied above.
root at captive:~# /etc/init.d/chilli start
Found configuration /usr/local/etc/chilli/coova-vlan10/chilli.conf
Running DHCPIF=coova-vlan10 /etc/init.d/chilli start
Starting chilli:
Found configuration /usr/local/etc/chilli/coova-vlan20/chilli.conf
Running DHCPIF=coova-vlan20 /etc/init.d/chilli start
Starting chilli:
Found configuration /usr/local/etc/chilli/coova-vlan30/chilli.conf
Running DHCPIF=coova-vlan30 /etc/init.d/chilli start
Starting chilli:
Found configuration /usr/local/etc/chilli/coova-vlan40/chilli.conf
Running DHCPIF=coova-vlan40 /etc/init.d/chilli start
Starting chilli:
Found configuration /usr/local/etc/chilli/coova-vlan50/chilli.conf
Running DHCPIF=coova-vlan50 /etc/init.d/chilli start
Starting chilli:
*Thanks / RM --*
> *David Bird SAID: *
>
> To serialize the iptables, you can edit the up.sh/down.sh scripts to
>> wrap all the commands inside something like:
>>
>>
>> (
>> flock -s 200
>>
>> # ... commands executed under lock ...
>>
>> ) 200>/tmp/.chilli-flock
>>
>> David Bird
>>
>
>>
>
>
>> *> Luic SAID*
>> >
>> >
>> > Hello everyone,
>> >
>> > 1. It could be related to iptable locking, because I've got a bit of
>> > success if I add "sleep 5" on /etc/init.d/chilli after starting each
>> > vlan. It's not 100% win, but at least the success rate increased.
>> >
>> >
>> >
>> * > Mike SAID:*
>> > I can agree to your point. But i do not use different script for
>> > starting multiple instances (vlans) the same "/etc/init.d/chilli
>> > start" does starts everything. But i have been advised to write a
>> > different script, then i will add the wait between the "start" of each
>> > instance. The following line in start script just check "chilli.conf"
>> > files and start everything. MULTI= $(ls
>> /usr/local/etc/chilli/*/chilli.conf 2>/dev/null)
>> >
>> >
>> >
>> >
>> >* Luic Asked:*
>> > 2. The iptables file located at
>> > v /usr/local/var/run/chilli.tun0.sh is it generated every time
>> > chilli boots? Is it executed on chilli process startup? Could
>> > that be the issue? Not giving enough time for the OS to write
>> > the file, and ask it to run the script? If it’s that, that
>> > would explain why is a sporadic problem happening on multi
>> > chilli, because is starting several chilli processes as fast
>> > as the machine is capable of.
>> >
>> >
>> * > Mike SAID:
>> >*
>> > Yes Luic, the file, the iptables rule under "/var/run/tun*.sh
>> > is created every time. Because i have seen that when there is
>> > login page problem from a VLAN, i have verify that iptables
>> > file exists normal for that tunnel
>> > "/var/run/tun_problem_vlan.sh. Well, are you satisfied with
>> > the contents for the iptables file? do you think that i still
>> > need the iptable rule you advised earlier? in the above
>> > section of the communication?
>> >
>> >
>>
>>
>> > * Ynezz SAID:*
>> >
>> > All rules from up.sh except the following seem to get created:
>> >
>> > ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
>> >
>> >
>> > And sometimes some other rules :)
>> >
>> > It seems to only ever happen in multi-instance environments
>> > so maybe
>> >
>> > it is something to do with iptables locking and not allowing
>> > the
>> >
>> > insertion of the rule while another instance is trying to do
>> > the same? I'm not sure.
>> >
>> >
>> > Yes, maybe something like that, I didn't investigated it in
>> > the detail either.
>> >
>> > I've added simple locking into the coova-chilli init.d script
>> > and added wildcard system wide iptables rules like "-i tun+"
>> > and it improved a lot.
>> >
>> > -- ynezz
>> >
>> >
>> * > Mike Wrote:*
>> >
>> >
>> > HI Yneez,
>> >
>> >
>> > It is Fully functional UB 12.4LTS x86_64, suffering with this disease
>> > only. It will help others as well, if your suggestion fixed the
>> > problem. Are you willing to provide more information so that i can
>> > edit the script & give a try? How the below is done you said
>> >
>> >
>> > I've added simple locking into the coova-chilli init.d script and
>> > added wildcard system wide iptables rules like "-i tun+" and it
>> > improved a lot.
>> >
>> >
>> >
>> >
>> >
>> > Big Thanks 2 Everyone !!!!
>> >
>> >
>> > Thanks RM --
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Chilli mailing list
>> > Chilli at coova.org
>> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>>
>> --
>> --
>> David Bird
>> http://www.linkedin.com/in/dwbird
>> https://twitter.com/wlanmac
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20130211/3d5b32a8/attachment-0001.html>
More information about the Chilli
mailing list