Kernel module loading
IPFIRE needs five kernel modules to work. Loading module called ipfi
is sufficient, since it automatically loads the others needed.
IPRIREwall consists in the subsequent modules:
ipfi
ipfi_netl
ipfi_machine
ipfi_translation
ipfi_log.
The first registers with netfilter hooks (so it is not necessary to modify kernel
sources to load IPFIREwall) and is responsible of invoking filter and translation functions
and giving a response to ip routines.
The second deals with communication between kernel space and userspace, via
netlink socket. It is the main actor also in keeping track of statistics.
The third module contains filtering functions: a packet is inspected to see if any
permission or denial rule matches its fields. The response returned to calling
routines in ipfi.c depends on eventual match with user's rule. If no match is found in
ruleset, the default policy response is returned (see proc chapter for details on default policy and
how to change it).
The fourth module is concerned with translation work: source and destination network
address/port translation and masquerading take place here, where is implemented
getsockopt interface too.
The last one attends to logging events to userspace and its functions are used only
in the case in which smart logging is enabled (i.e. loguser 1).
See logging levels and implications for details, or
configuration files chapter or
command line options chapter for enabling different
levels of logging.
Logging tables are dynamically allocated in case of smart logging and one should take
care of observations made in kernel dynamic
tables: timers and numerousness management chapter.
Module loading
Before starting user interface kernel modules must be loaded.
User interface loads automatically ipfi module at startup.
Administrator can anyway load IPFIRE modules imparting the command
modprobe ipfi
in command prompt.
When module is inserted in such way, default policy is to drop packets which do
not correspond to any rule. If you want to specify an accept policy for
those packets, you have to load module passing a parameter to it:
modprobe ipfi policy="accept"
In this way, default policy is to accept all packets which are not explicitly dropped. You
can verify it by reading proc entry:
cat /proc/IPFIRE/policy
Thou should read:
IPFIRE default behaviour when a packet does not match: accept.
Module unloading
When user interface exits, or anyhow ipfirewall userspace program is turned off,
if kernel modules remain loaded, packets are filtered according to the default policy
adopted when module is loaded or set by means of proc
interface. If administrator desires to unload module when userspace firewall exits, he
can do it in two ways:
- with a modprobe -r ipfi from a command line prompt;
- specifying -rmmod as option when starting up user interface. (See command line options chapter). In this way, IPFIREwall unloads automatically kernel modules when told to shut down. This can be useful when packet filter is started by an rc script.
NOTE: during system halt, if services need network communication and IPFIRE user interface has gone off and kernel module remains loaded, it is possible that they remain waiting to be able to communicate, although that's not allowed if firewall policy was set to drop packets by default.