[isf-wifidog] Understanding the WiFidog Firewall process

[Steve Congrave]

I'm trying to understand the WiFidog firewall process (sorry for newbie
questions LOL) and have read the developer docs at
http://dev.wifidog.org/wiki/doc/developer/FlowDiagram

The Gateway Firewall rules (iptables) mangles the initial user request and
starts the auth process.
I'm ok with this and the auth process but what I find hard to understand is
how is the firewall opened up for an authenticated client?

What is the process and ruleset that allows a client that has been
authenticated, access through the firewall, and how is that then closed down
after the client has been de-authenticated (if they run out of access time
allowance for example)?

I'm trying to understand the role of iptables and whether there are changes
made to it dynamically or if something else is tagging the traffic before it
hits the firewall

Thanks for any help

Steve