wifidog 源碼初分析（1）-轉

wifidog 的核心還是依賴於 iptables 防火牆過濾規則來實現的，所以建議對 iptables 有了了解后再去閱讀 wifidog 的源碼。

在路由器上啟動 wifidog 之后，wifidog 在啟動時會初始化一堆的防火牆規則，如下：

[cpp] view plaincopy

1. /** Initialize the firewall rules
2. */
3. int iptables_fw_init(void)  
4. {  
5.     … …  
6. /*
7.      *
8.      * Everything in the NAT table
9.      *
10.      */
11. /* Create new chains */
12.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);  
13.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);  
14.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);  
15.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);  
16.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);  
17.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);  
18. /* Assign links and rules to these new chains */
19.     iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);  
20.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);  
21.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");  
22.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);  
23.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);  
24.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);  
25.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);  
26.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);  
27.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);  
28. // 將 80 端口的訪問重定向(REDIRECT)到 (本路由)網關web服務器的監聽端口
29.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);  
30. /*
31.      *
32.      * Everything in the FILTER table
33.      *
34.      */
35. /* Create new chains */
36.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);  
37.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);  
38.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);  
39.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);  
40.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);  
41.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);  
42.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);  
43. /* Assign links and rules to these new chains */
44. /* Insert at the beginning */
45.     iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);  
46.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");  
48. /* TCPMSS rule for PPPoE */
49.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);  
50.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);  
51.     iptables_fw_set_authservers();  
52.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);  
53.     iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);  
54.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);  
55.     iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);  
56.     iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);  
57.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);  
58.     iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);  
59.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);  
60.     iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);  
61.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);  
62.     iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);  
63.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");  
64.     UNLOCK_CONFIG();  
65. return 1;  
66. } 

在該 防火牆規則的初始化過程中，會首先清除掉已有的防火牆規則，重新創建新的過濾鏈，另外，除了通過iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 這個命令將 接入設備的 80 端口（HTTP）的訪問重定向至網關自身的 HTTP 的端口之外，還通過iptables_fw_set_authservers(); 函數設置了 鑒權服務器(auth-server) 的防火牆規則：

[cpp] view plaincopy

1. void iptables_fw_set_authservers(void)  
2. {  
3. const s_config *config;  
4.     t_auth_serv *auth_server;  
5.     config = config_get_config();  
6. for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {  
7. if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) {  
8.             iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);  
9.             iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);  
10.         }  
11.     }  
12. } 

首先從上面的代碼可以看出 wifidog 支持多個 鑒權服務器，並且針對每一個鑒權服務器 設置了如下兩條規則：

1)在filter表中追加一條[任何訪問鑒權服務器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈：

iptables -t filter -A  WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT

2)在nat表中追加一條[任何訪問鑒權服務器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈：

iptables -t nat -A WiFiDog_$ID$_AuthServers  -d auth-server地址 -j ACCEPT

這樣確保可以訪問鑒權服務器，而不是拒絕所有的出口訪問。