防火墙关键函数的调用
IPIF_Receive
p_if->f_IPReceiveFilter
filterdRecv
return( (ifData->receive->filterEntry)(
ifData->receive, packet ) );
FwInterface::AddFwInterface
alerror = SecurityAddInterface(fw_context,
&cwif);
sendwaitmessage( &msg,
MSG_N_SECURITY_INTERFACE, get_security_qid() );
AtmosCwMessageHandler
ALCWAddInterface
ALCWIpFilterRegistration
ALCWInitializeInterfaceToTcpip
ALCWIpFilterRegistration
filterData.entry = ALCWIPFilter;
ALCWInterfaceFilter
ALCWIPInputFilterOnExternalInterface
ALCWIPOutputFilterOnExternalInterface
ALCWIPInputProcessorForExternal
/*************NAT*********************/
ALCSFENSMProcessExternalPacket
/*
* translate the destination
IP address and destination port number
*/
ALCSFETranslateIPAddress
以从外网发送到路由器的IP包为例
ipif.c 中的IPIF_Receive()调用挂在该接口上的钩子函数p_if->f_IPReceiveFilter,其实就是调用了filterd.c中的filterdRecv()接收过滤函数
filterdRecv()函数调用cw_ipfilter.c中的ALCWInterfaceFilter(),端口过滤函数,确定ip包的流向和端口,调用对应接口的过滤寒暑,如,从外网发往路由的ip包,就调用ALCWIPInputFilterOnExternalInterface(),由WAN口发出的包就调用ALCWIPOutputFilterOnExternalInterface()
ALCWInterfaceFilter()调用ALCWIPInputFilterOnExternalInterface(),函数功能顾名思义,其中,会进行会话(session)管理,就像是linux中的连接跟踪功能
再调用ALCWIPInputProcessorForExternal(),这个是真正对ip包进行处理的函数,先进行firewall规则的过滤,然后会调用ALCSFENSMProcessInternalPacket()对ip包做NAT
ALCSFENSMProcessInternalPacket()对ip做NAT的函数,调用ALCSFETranslateIPAddress(),来实现NAT
在ALCSFETranslateIPAddress()中,会根据ip包的流向、端口的nat规则、以及ip包所属的对话(session)来决定怎样对它进行SNAT或者DNAT。(值得注意的是:ALCSFETranslateIPAddress()只能对输入的包进行DNAT,或者对输出的包进行SNAT,而不能同事进行两种转换)