From 426978b0fc0fd52bc8585d6cc00512d775bc95e1 Mon Sep 17 00:00:00 2001 From: bbruns Date: Sat, 12 Apr 2014 15:09:08 +0000 Subject: [PATCH] Kernel module loading implemented --- CHANGELOG | 6 +++++- bin/srfirewall | 15 ++++++++++++--- etc/ipv4.conf | 23 ++++++++++++++++++++++- etc/ipv6.conf | 19 +++++++++++++++++++ lib/iptables.inc | 2 +- lib/kernel.inc | 28 ++++++++++++++++++++++++++++ 6 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 lib/kernel.inc diff --git a/CHANGELOG b/CHANGELOG index 23ebd51..4d96db4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,8 @@ -2.00 Alpha 1 +2.00 Alpha 2 - 04/11/2014 + - Slightly better documentation + - Module loading for netfilter helpers + +2.00 Alpha 1 - 04/10/2014 - Complete code rewrite and restructure to solve some long standing issues with v1 - Separate out functions into support files for easier grouping of what they do - Make more compatible with multiple disto file layouts diff --git a/bin/srfirewall b/bin/srfirewall index 8b98620..4a0d2e2 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -31,6 +31,7 @@ FWBINDIR="${FWPREFIX}/bin" source "${FWLIBDIR}/binaries.inc" source "${FWLIBDIR}/iptables.inc" source "${FWLIBDIR}/display.inc" +source "${FWLIBDIR}/kernel.inc" source "${FWCONFIGDIR}/main.conf" @@ -46,10 +47,10 @@ source "${FWCONFIGDIR}/ipv6.conf" [[ -e "{FWCONFIGDIR}/ipv6/local.conf" ]] && source "{FWCONFIGDIR}/ipv6/local.conf" -# We require at least bash v3 or later at this point given some of the more complex +# We require at least bash v2 or later at this point given some of the more complex # operations we do to make the firewall script work. if (( ${BASH_VERSINFO[0]} <= "2" )); then - echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" + echo "Error: We can only run with bash 2.0 or higher. Please upgrade your version" echo "of bash to something more recent, preferably the latest which is, as of this" echo "writing, 4.x" exit 1 @@ -178,7 +179,11 @@ if [ "${EnableIPv4}" == "yes" ]; then Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT} Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT} Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT} - default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy} + default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy} + ([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \ + && load_kernel_modules "${Loadv4NetfilterModules}" + ([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \ + && [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}" [[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4 ([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \ && enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}" @@ -208,6 +213,10 @@ if [ "${EnableIPv6}" == "yes" ]; then Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT} Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT} default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy} + ([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \ + && load_kernel_modules "${Loadv6NetfilterModules}" + ([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \ + && [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}" [[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6 ([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \ && enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}" diff --git a/etc/ipv4.conf b/etc/ipv4.conf index e443b4c..5176535 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -29,7 +29,8 @@ Enablev4MSSClamp="yes" # packets it allows and refuses. On highly loaded systems or # ones with low memory, this may be desirable. Everyone else # should probably leave this on. -# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces +# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces Enablev4NetfilterModules +# Loadv4NetfilterModules # Values: no | yes (default) Enablev4ConnectionTracking="yes" @@ -97,6 +98,26 @@ Enablev4NAT="yes" # Values: no | yes (default) Enablev4PortForwarding="yes" +# Enable loading of helper modules +# Load kernel modules for various helpers/ALGs that netfilter +# has available. You may need to modify the Loadv4NetfilterModules +# option as sometimes kernel modules may not exist or be renamed on +# a particular system. +# Values: no | yes (default) +Enablev4NetfilterModules="yes" + +# List of kernel netfilter modules to Load +# Default: nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc +# nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre +# nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip +# nf_conntrack_broadcast +Loadv4NetfilterModules="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_broadcast" + +# These are loaded as well if you have Enablev4NAT set to yes +# Default: nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp +# nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip +Loadv4NetfilterModulesNAT="nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip" + # Default policy for filtering rules # netfilter/iptables has a default policy that can be set, such as # DROP all unless it is explicitly allowed via rules. diff --git a/etc/ipv6.conf b/etc/ipv6.conf index f9c4f8f..48b7211 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -97,6 +97,25 @@ Enablev6NAT="yes" # Values: no | yes (default) Enablev6PortForwarding="yes" +# Enable loading of helper modules +# Load kernel modules for various helpers/ALGs that netfilter +# has available. You may need to modify the Loadv4NetfilterModules +# option as sometimes kernel modules may not exist or be renamed on +# a particular system. +# This is set to no by default on ipv6 because on my test system, I do not +# see any usable helper modules for ipv6 use. Obviously this may change +# in the future. +# Values: no (default) | yes +Enablev6NetfilterModules="no" + +# List of kernel netfilter modules to Load +# Default: none +Loadv6NetfilterModules="" + +# These are loaded as well if you have Enablev4NAT set to yes +# Default: none +Loadv6NetfilterModulesNAT="" + # Default policy for filtering rules # netfilter/iptables has a default policy that can be set, such as # DROP all unless it is explicitly allowed via rules. diff --git a/lib/iptables.inc b/lib/iptables.inc index d4af874..2a6b537 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -60,7 +60,7 @@ function default_policy_set { ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;; esac - ${display} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." + ${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..." ${VER_IPTABLES} --policy INPUT ${INPOLICY} ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY} ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY} diff --git a/lib/kernel.inc b/lib/kernel.inc new file mode 100644 index 0000000..d20874b --- /dev/null +++ b/lib/kernel.inc @@ -0,0 +1,28 @@ +#!/bin/bash +# By Brielle Bruns +# URL: http://www.sosdg.org/freestuff/firewall +# License: GPLv3 +# +# Copyright (C) 2009 - 2014 Brielle Bruns +# Copyright (C) 2009 - 2014 The Summit Open Source Development Group +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +function load_kernel_modules { + LOAD_MODULES="${2}" + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" + for i in $LOAD_MODULES; do + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Loading kernel module ${i}..." + ${MODPROBE} ${i} + done +} \ No newline at end of file