firewall-init: firewall.d/functions - reality check - added generic_(un)loa...

baggins baggins at pld-linux.org
Tue Dec 29 22:09:51 CET 2009 

Author: baggins                      Date: Tue Dec 29 21:09:51 2009 GMT
Module: firewall-init                 Tag: HEAD
---- Log message:
- reality check
- added generic_(un)load_modules
- updated ipv(4|5)_(un)load_modules for current kernels

---- Files affected:
firewall-init/firewall.d:
   functions (1.15 -> 1.16) 

---- Diffs:

================================================================
Index: firewall-init/firewall.d/functions
diff -u firewall-init/firewall.d/functions:1.15 firewall-init/firewall.d/functions:1.16
--- firewall-init/firewall.d/functions:1.15	Tue Dec 29 20:33:07 2009
+++ firewall-init/firewall.d/functions	Tue Dec 29 22:09:46 2009
@@ -1,15 +1,59 @@
+generic_load_modules()
+{
+	typeset i conn b
+
+	_modprobe die -a x_tables
+	_modprobe die -a nf_conntrack \
+		`[ -z "$CONNTRACK_HASHSIZE" ] || echo "expect_hashsize=$CONNTRACK_HASHSIZE"`
+
+	if [ "$CONNTRACK_MODULES" = "all" -o -z "$CONNTRACK_MODULES" ] ; then
+		conn=""
+		for i in /lib/modules/`uname -r`/kernel/net/netfilter/nf_conntrack_*.ko{.gz,} ; do
+			if [ -f "$i" ]; then
+				for b in $CONNTRACK_MODULES_BLACKLIST ; do
+					if [[ "$i" = */nf_conntrack_$b.ko* ]]; then
+						i=
+						break
+					fi
+				done
+				if [ -n "$i" ]; then
+					i=${i%.ko(.gz|)}
+					conn="$conn ${i##*/}"
+				fi
+			fi
+		done
+		_modprobe die -a $conn
+	elif [ "$CONNTRACK_MODULES" != "none" ] ; then
+		conn=""
+		for i in $CONNTRACK_MODULES ; do
+			conn="$conn nf_conntrack_$i"
+		done
+		_modprobe die -a $conn
+	fi
+}
+
 ipv4_load_modules()
 {
 	typeset i conn
 
 	_modprobe die -a ip_tables
-	_modprobe die -a ip_conntrack \
-		`[ -z "$CONNTRACK_HASHSIZE" ] || echo "hashsize=$CONNTRACK_HASHSIZE"`
+	_modprobe die -a nf_conntrack_ipv4
 
 	if [ "$CONNTRACK_MODULES" = "all" -o -z "$CONNTRACK_MODULES" ] ; then
 	    conn=""
-	    for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.{k,}o{.gz,} ; do
-		    [ -f "$i" ] && conn="$conn `echo $i | awk '!/ftp|irc|egg/ { gsub(/.*\//,"") ; gsub(/\.[k]o(\.gz)$/,"") ; print $1 }'`"
+	    for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.ko{.gz,} ; do
+		if [ -f "$i" ]; then
+			for b in $CONNTRACK_MODULES_BLACKLIST ; do
+				if [[ "$i" = */ip_conntrack_$b.ko* ]]; then
+					i=
+					break
+				fi
+			done
+			if [ -n "$i" ]; then
+				i=${i%.ko(.gz|)}
+				conn="$conn ${i##*/}"
+			fi
+		fi
 	    done
 	    _modprobe die -a $conn
 	elif [ "$CONNTRACK_MODULES" != "none" ] ; then
@@ -23,8 +67,19 @@
 	if echo "$ipv4_TABLES" | awk '!/nat/ {exit 1}' ; then
 	    if [ "$NAT_MODULES" = "all" -o -z "$NAT_MODULES" ] ; then
 		conn=""
-		for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.{k,}o{.gz,} ; do
-			[ -f "$i" ] && conn="$conn `echo $i | awk '!/ftp|irc/ { gsub(/.*\//,"") ; gsub(/\.[k]o(\.gz)$/,"") ; print $1 }'`"
+		for i in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/nf_nat_*.ko{.gz,} ; do
+			if [ -f "$i" ]; then
+				for b in $NAT_MODULES_BLACKLIST ; do
+					if [[ "$i" = */nf_nat_$b.ko* ]]; then
+						i=
+						break
+					fi
+				done
+				if [ -n "$i" ]; then
+					i=${i%.ko(.gz|)}
+					conn="$conn ${i##*/}"
+				fi
+			fi
 		done
 		_modprobe die -a $conn
 	    elif [ "$NAT_MODULES" != "none" ] ; then
@@ -40,6 +95,20 @@
 ipv6_load_modules()
 {
 	_modprobe die -a ip6_tables
+	_modprobe die -a nf_conntrack_ipv6
+}
+
+generic_remove_modules()
+{
+	typeset modules
+
+	modules="`lsmod | grep "^xt_" | cut -f 1 -d ' '`"
+	[ -n "$modules" ] && rmmod $modules
+	modules="`lsmod | grep "^nf_" | cut -f 1 -d ' '`"
+	[ -n "$modules" ] && rmmod $modules
+	modules="`lsmod | grep "^nfnetlink" | cut -f 1 -d ' '`"
+	[ -n "$modules" ] && rmmod $modules
+	rmmod x_tables
 }
 
 ipv4_remove_modules()
@@ -48,7 +117,7 @@
 
 	modules="`lsmod | grep "^ipt_" | cut -f 1 -d ' '`"
 	[ -n "$modules" ] && rmmod $modules
-	modules="`lsmod | grep "^ip_nat_" | cut -f 1 -d ' '`"
+	modules="`lsmod | grep "^nf_nat_" | cut -f 1 -d ' '`"
 	[ -n "$modules" ] && rmmod $modules
 	modules="`lsmod | grep "^iptable_" | cut -f 1 -d ' '`"
 	[ -n "$modules" ] && rmmod $modules
@@ -231,4 +300,4 @@
 }
 
 # This must be last line !
-# vi:syntax=sh:ts=8:sw=4
+# vi:syntax=sh
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/firewall-init/firewall.d/functions?r1=1.15&r2=1.16&f=u

More information about the pld-cvs-commit mailing list