Kernel module loading implemented

CHANGELOG

@@ -1,4 +1,8 @@
-2.00 Alpha 1
+2.00 Alpha 2 - 04/11/2014
+	- Slightly better documentation
+	- Module loading for netfilter helpers
+
+2.00 Alpha 1 - 04/10/2014
 	- Complete code rewrite and restructure to solve some long standing issues with v1
 	- Separate out functions into support files for easier grouping of what they do
 	- Make more compatible with multiple disto file layouts

bin/srfirewall

@@ -31,6 +31,7 @@ FWBINDIR="${FWPREFIX}/bin"
 source "${FWLIBDIR}/binaries.inc"
 source "${FWLIBDIR}/iptables.inc"
 source "${FWLIBDIR}/display.inc"
+source "${FWLIBDIR}/kernel.inc"
 
 source "${FWCONFIGDIR}/main.conf"
 
@@ -46,10 +47,10 @@ source "${FWCONFIGDIR}/ipv6.conf"
 [[ -e "{FWCONFIGDIR}/ipv6/local.conf" ]] && source "{FWCONFIGDIR}/ipv6/local.conf"
 
 
-# We require at least bash v3 or later at this point given some of the more complex
+# We require at least bash v2 or later at this point given some of the more complex
 # operations we do to make the firewall script work.
 if (( ${BASH_VERSINFO[0]} <= "2" )); then
-	echo "Error: We can only run with bash 3.0 or higher.  Please upgrade your version"
+	echo "Error: We can only run with bash 2.0 or higher.  Please upgrade your version"
 	echo "of bash to something more recent, preferably the latest which is, as of this"
 	echo "writing, 4.x"
 	exit 1
@@ -178,7 +179,11 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
 	Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
 	Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
-	default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy} 
+	default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
+	([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
+		&& load_kernel_modules "${Loadv4NetfilterModules}"
+	([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \
+		&& [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}"
 	[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
 	([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
 			&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
@@ -208,6 +213,10 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
 	Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
 	default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
+	([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
+		&& load_kernel_modules "${Loadv6NetfilterModules}"
+	([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \
+		&& [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}"
 	[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
 	([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
 			&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"

etc/ipv4.conf

@@ -29,7 +29,8 @@ Enablev4MSSClamp="yes"
 # packets it allows and refuses.  On highly loaded systems or
 # ones with low memory, this may be desirable.  Everyone else
 # should probably leave this on.
-# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces
+# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces Enablev4NetfilterModules
+#	Loadv4NetfilterModules
 # Values: no | yes (default)
 Enablev4ConnectionTracking="yes"
 
@@ -97,6 +98,26 @@ Enablev4NAT="yes"
 # Values: no | yes (default)
 Enablev4PortForwarding="yes"
 
+# Enable loading of helper modules
+# Load kernel modules for various helpers/ALGs that netfilter
+# has available. You may need to modify the Loadv4NetfilterModules
+# option as sometimes kernel modules may not exist or be renamed on
+# a particular system.
+# Values: no | yes (default)
+Enablev4NetfilterModules="yes"
+
+# List of kernel netfilter modules to Load
+# Default: nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc
+#	nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre
+#	nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip
+#	nf_conntrack_broadcast
+Loadv4NetfilterModules="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_broadcast" 
+
+# These are loaded as well if you have Enablev4NAT set to yes
+# Default: nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp
+#	nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip
+Loadv4NetfilterModulesNAT="nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip"
+
 # Default policy for filtering rules
 # netfilter/iptables has a default policy that can be set, such as
 # DROP all unless it is explicitly allowed via rules.

etc/ipv6.conf

@@ -97,6 +97,25 @@ Enablev6NAT="yes"
 # Values: no | yes (default)
 Enablev6PortForwarding="yes"
 
+# Enable loading of helper modules
+# Load kernel modules for various helpers/ALGs that netfilter
+# has available. You may need to modify the Loadv4NetfilterModules
+# option as sometimes kernel modules may not exist or be renamed on
+# a particular system.
+# This is set to no by default on ipv6 because on my test system, I do not
+# see any usable helper modules for ipv6 use.  Obviously this may change
+# in the future.
+# Values: no (default) | yes
+Enablev6NetfilterModules="no"
+
+# List of kernel netfilter modules to Load
+# Default: none
+Loadv6NetfilterModules=""
+
+# These are loaded as well if you have Enablev4NAT set to yes
+# Default: none
+Loadv6NetfilterModulesNAT=""
+
 # Default policy for filtering rules
 # netfilter/iptables has a default policy that can be set, such as
 # DROP all unless it is explicitly allowed via rules.

lib/iptables.inc

@@ -60,7 +60,7 @@ function default_policy_set {
 		ipv6) VER_IPTABLES=${IP6TABLES} ;;
 		ipv4|*) VER_IPTABLES=${IPTABLES} ;;
 	esac
-	${display} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
+	${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..."
 	${VER_IPTABLES} --policy INPUT ${INPOLICY}
 	${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
 	${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}

lib/kernel.inc

@@ -0,0 +1,28 @@
+#!/bin/bash
+# By Brielle Bruns <bruns@2mbit.com>
+# URL: http://www.sosdg.org/freestuff/firewall
+# License: GPLv3
+#
+#    Copyright (C) 2009 - 2014  Brielle Bruns
+#    Copyright (C) 2009 - 2014  The Summit Open Source Development Group
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+function load_kernel_modules {
+	LOAD_MODULES="${2}"
+	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
+	for i in $LOAD_MODULES; do
+		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Loading kernel module ${i}..."
+		${MODPROBE} ${i}
+	done
+}