wifidog 源碼初分析（1）-轉

最後更新：2014-06-25 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

標籤：blog code http ext com get

wifidog 的核心還是依賴於 iptables 防火牆過濾規則來實現的，所以建議對 iptables 有了瞭解後再去閱讀 wifidog 的源碼。

在路由器上啟動 wifidog 之後，wifidog 在啟動時會初始化一堆的防火牆規則，如下：

[cpp] view plaincopy

/** Initialize the firewall rules
*/
int iptables_fw_init(void)
{
… …
/*
*
* Everything in the NAT table
*
*/
/* Create new chains */
iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
/* Assign links and rules to these new chains */
iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");
iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
// 將 80 連接埠的訪問重新導向(REDIRECT)到 (本路由)網關web伺服器的監聽連接埠
iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
/*
*
* Everything in the FILTER table
*
*/
/* Create new chains */
iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);
/* Assign links and rules to these new chains */
/* Insert at the beginning */
iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
/* TCPMSS rule for PPPoE */
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
iptables_fw_set_authservers();
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
UNLOCK_CONFIG();
return 1;
}

在該防火牆規則的初始化過程中，會首先清除掉已有的防火牆規則，重新建立新的過濾鏈，另外，除了通過iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 這個命令將接入裝置的 80 連接埠（HTTP）的訪問重新導向至網關自身的 HTTP 的連接埠之外，還通過iptables_fw_set_authservers(); 函數設定了鑒權伺服器(auth-server) 的防火牆規則：

[cpp] view plaincopy

void iptables_fw_set_authservers(void)
{
const s_config *config;
t_auth_serv *auth_server;
config = config_get_config();
for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {
if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) {
iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);
}
}
}

首先從上面的代碼可以看出 wifidog 支援多個鑒權伺服器，並且針對每一個鑒權伺服器設定了如下兩條規則：

1)在filter表中追加一條[任何訪問鑒權伺服器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈：

iptables -t filter -A WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT

2)在nat表中追加一條[任何訪問鑒權伺服器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈：

iptables -t nat -A WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT

這樣確保可以訪問鑒權伺服器，而不是拒絕所有的出口訪問。

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More