[isf-wifidog] Inactive client stays connected

Scott Tully scott.tully at gmail.com
Mar 1 Mar 12:02:42 EST 2005 

I have a client that has successfully authenticated with my
authserver.  This client is not being disconnected after CheckInterval
 * ClientTimeout or even a longer period of inactivity.... because
there is never a period of total *incoming* inactivity.  So i
disconnected this client (laptop w/XP) from the network to be sure
nothing could possibly be active from my ip address.  The client
continued to stay connected because the incoming packets kept
increasing!

Mar  1 14:57:04 devl2 wifidog[2021]: Outgoing 10.10.10.100
Bytes=4619520107495034123
Mar  1 14:57:04 devl2 wifidog[2021]: Incoming 10.10.10.100
Bytes=4619520107494982171
Mar  1 14:57:04 devl2 wifidog[2021]: 10.10.10.100 - Updated
counter.incoming to 4619520107494982171 bytes
Mar  1 14:57:04 devl2 wifidog[2023]: Read 201 bytes, total now 201
Mar  1 14:57:04 devl2 wifidog[2023]: Done reading reply, total 201 bytes
Mar  1 14:58:04 devl2 wifidog[2021]: Outgoing 10.10.10.100
Bytes=4619520107495034123
Mar  1 14:58:04 devl2 wifidog[2021]: Incoming 10.10.10.100
Bytes=4619520107494982219
Mar  1 14:58:04 devl2 wifidog[2021]: 10.10.10.100 - Updated
counter.incoming to 4619520107494982219 bytes
Mar  1 14:58:04 devl2 wifidog[2023]: Read 201 bytes, total now 201
Mar  1 14:58:04 devl2 wifidog[2023]: Done reading reply, total 201 bytes
Mar  1 14:59:04 devl2 wifidog[2021]: Outgoing 10.10.10.100
Bytes=4619520107495034123
Mar  1 14:59:04 devl2 wifidog[2021]: Incoming 10.10.10.100
Bytes=4619520107494982267
Mar  1 14:59:04 devl2 wifidog[2021]: 10.10.10.100 - Updated
counter.incoming to 4619520107494982267 bytes
Mar  1 14:59:04 devl2 wifidog[2023]: Read 201 bytes, total now 201
Mar  1 14:59:04 devl2 wifidog[2023]: Done reading reply, total 201 bytes
Mar  1 15:00:04 devl2 wifidog[2021]: Outgoing 10.10.10.100
Bytes=4619520107495034123
Mar  1 15:00:04 devl2 wifidog[2021]: Incoming 10.10.10.100
Bytes=4619520107494982315
Mar  1 15:00:04 devl2 wifidog[2021]: 10.10.10.100 - Updated
counter.incoming to 4619520107494982315 bytes
Mar  1 15:00:04 devl2 wifidog[2023]: Read 201 bytes, total now 201
Mar  1 15:00:04 devl2 wifidog[2023]: Done reading reply, total 201 bytes


This went on for well over an hour with the client disconnected from
the network. I am not sure (do to lack of knowledge) if this is a NAT
issue, but it seems that arp requests are being counted as traffic to
an ip.  My arp cache showed an IP but no MAC address for the client. 
tcpdump revealed:

15:14:04.035739 arp who-has 10.10.10.100 tell devl2.devl2.com
15:14:05.029853 arp who-has 10.10.10.100 tell devl2.devl2.com
15:14:06.029852 arp who-has 10.10.10.100 tell devl2.devl2.com

I was unable to delete the arp record with arp -d 10.10.10.100, it
always displayed an incomplete HWaddress and arp continued the search
for a mac address. Out of desperation i ran

ip -stat -stat addr flush to 10.10.10/24

Which totally wiped-out everything 10.10.10/24(including eth1)and the
arp cache...  but five minutes later the server responded with a
logout. And the client was no more..... :-)

Is it possible that the arp requests from the gateway are counted in
mangle/WiFiDog_Incoming chain for a client ip that is no longer on the
network? (that is what used for counting incoming bytes correct?) 
Would it be better to only look at outgoing packets to "see" if a
client is still connected?

Regards,
Scott

Plus d'informations sur la liste de diffusion WiFiDog