firewall-init: firewall.d/functions - reality check - added generic_(un)loa...
baggins
baggins at pld-linux.org
Tue Dec 29 22:09:51 CET 2009
Author: baggins Date: Tue Dec 29 21:09:51 2009 GMT
Module: firewall-init Tag: HEAD
---- Log message:
- reality check
- added generic_(un)load_modules
- updated ipv(4|5)_(un)load_modules for current kernels
---- Files affected:
firewall-init/firewall.d:
functions (1.15 -> 1.16)
---- Diffs:
================================================================
Index: firewall-init/firewall.d/functions
diff -u firewall-init/firewall.d/functions:1.15 firewall-init/firewall.d/functions:1.16
--- firewall-init/firewall.d/functions:1.15 Tue Dec 29 20:33:07 2009
+++ firewall-init/firewall.d/functions Tue Dec 29 22:09:46 2009
@@ -1,15 +1,59 @@
+generic_load_modules()
+{
+ typeset i conn b
+
+ _modprobe die -a x_tables
+ _modprobe die -a nf_conntrack \
+ `[ -z "$CONNTRACK_HASHSIZE" ] || echo "expect_hashsize=$CONNTRACK_HASHSIZE"`
+
+ if [ "$CONNTRACK_MODULES" = "all" -o -z "$CONNTRACK_MODULES" ] ; then
+ conn=""
+ for i in /lib/modules/`uname -r`/kernel/net/netfilter/nf_conntrack_*.ko{.gz,} ; do
+ if [ -f "$i" ]; then
+ for b in $CONNTRACK_MODULES_BLACKLIST ; do
+ if [[ "$i" = */nf_conntrack_$b.ko* ]]; then
+ i=
+ break
+ fi
+ done
+ if [ -n "$i" ]; then
+ i=${i%.ko(.gz|)}
+ conn="$conn ${i##*/}"
+ fi
+ fi
+ done
+ _modprobe die -a $conn
+ elif [ "$CONNTRACK_MODULES" != "none" ] ; then
+ conn=""
+ for i in $CONNTRACK_MODULES ; do
+ conn="$conn nf_conntrack_$i"
+ done
+ _modprobe die -a $conn
+ fi
+}
+
ipv4_load_modules()
{
typeset i conn
_modprobe die -a ip_tables
- _modprobe die -a ip_conntrack \
- `[ -z "$CONNTRACK_HASHSIZE" ] || echo "hashsize=$CONNTRACK_HASHSIZE"`
+ _modprobe die -a nf_conntrack_ipv4
if [ "$CONNTRACK_MODULES" = "all" -o -z "$CONNTRACK_MODULES" ] ; then
conn=""
- for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.{k,}o{.gz,} ; do
- [ -f "$i" ] && conn="$conn `echo $i | awk '!/ftp|irc|egg/ { gsub(/.*\//,"") ; gsub(/\.[k]o(\.gz)$/,"") ; print $1 }'`"
+ for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.ko{.gz,} ; do
+ if [ -f "$i" ]; then
+ for b in $CONNTRACK_MODULES_BLACKLIST ; do
+ if [[ "$i" = */ip_conntrack_$b.ko* ]]; then
+ i=
+ break
+ fi
+ done
+ if [ -n "$i" ]; then
+ i=${i%.ko(.gz|)}
+ conn="$conn ${i##*/}"
+ fi
+ fi
done
_modprobe die -a $conn
elif [ "$CONNTRACK_MODULES" != "none" ] ; then
@@ -23,8 +67,19 @@
if echo "$ipv4_TABLES" | awk '!/nat/ {exit 1}' ; then
if [ "$NAT_MODULES" = "all" -o -z "$NAT_MODULES" ] ; then
conn=""
- for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.{k,}o{.gz,} ; do
- [ -f "$i" ] && conn="$conn `echo $i | awk '!/ftp|irc/ { gsub(/.*\//,"") ; gsub(/\.[k]o(\.gz)$/,"") ; print $1 }'`"
+ for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/nf_nat_*.ko{.gz,} ; do
+ if [ -f "$i" ]; then
+ for b in $NAT_MODULES_BLACKLIST ; do
+ if [[ "$i" = */nf_nat_$b.ko* ]]; then
+ i=
+ break
+ fi
+ done
+ if [ -n "$i" ]; then
+ i=${i%.ko(.gz|)}
+ conn="$conn ${i##*/}"
+ fi
+ fi
done
_modprobe die -a $conn
elif [ "$NAT_MODULES" != "none" ] ; then
@@ -40,6 +95,20 @@
ipv6_load_modules()
{
_modprobe die -a ip6_tables
+ _modprobe die -a nf_conntrack_ipv6
+}
+
+generic_remove_modules()
+{
+ typeset modules
+
+ modules="`lsmod | grep "^xt_" | cut -f 1 -d ' '`"
+ [ -n "$modules" ] && rmmod $modules
+ modules="`lsmod | grep "^nf_" | cut -f 1 -d ' '`"
+ [ -n "$modules" ] && rmmod $modules
+ modules="`lsmod | grep "^nfnetlink" | cut -f 1 -d ' '`"
+ [ -n "$modules" ] && rmmod $modules
+ rmmod x_tables
}
ipv4_remove_modules()
@@ -48,7 +117,7 @@
modules="`lsmod | grep "^ipt_" | cut -f 1 -d ' '`"
[ -n "$modules" ] && rmmod $modules
- modules="`lsmod | grep "^ip_nat_" | cut -f 1 -d ' '`"
+ modules="`lsmod | grep "^nf_nat_" | cut -f 1 -d ' '`"
[ -n "$modules" ] && rmmod $modules
modules="`lsmod | grep "^iptable_" | cut -f 1 -d ' '`"
[ -n "$modules" ] && rmmod $modules
@@ -231,4 +300,4 @@
}
# This must be last line !
-# vi:syntax=sh:ts=8:sw=4
+# vi:syntax=sh
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/firewall-init/firewall.d/functions?r1=1.15&r2=1.16&f=u
More information about the pld-cvs-commit
mailing list