Homepage di Giacomo.

Kernel module loading

IPFIRE needs five kernel modules to work. Loading module called ipfi is sufficient, since it automatically loads the others needed. IPRIREwall consists in the subsequent modules:


The first registers with netfilter hooks (so it is not necessary to modify kernel sources to load IPFIREwall) and is responsible of invoking filter and translation functions and giving a response to ip routines.
The second deals with communication between kernel space and userspace, via netlink socket. It is the main actor also in keeping track of statistics.
The third module contains filtering functions: a packet is inspected to see if any permission or denial rule matches its fields. The response returned to calling routines in ipfi.c depends on eventual match with user's rule. If no match is found in ruleset, the default policy response is returned (see proc chapter for details on default policy and how to change it).
The fourth module is concerned with translation work: source and destination network address/port translation and masquerading take place here, where is implemented getsockopt interface too.
The last one attends to logging events to userspace and its functions are used only in the case in which smart logging is enabled (i.e. loguser 1). See logging levels and implications for details, or configuration files chapter or command line options chapter for enabling different levels of logging.
Logging tables are dynamically allocated in case of smart logging and one should take care of observations made in kernel dynamic tables: timers and numerousness management chapter.

Module loading

Before starting user interface kernel modules must be loaded. User interface loads automatically ipfi module at startup. Administrator can anyway load IPFIRE modules imparting the command
modprobe ipfi
in command prompt.
When module is inserted in such way, default policy is to drop packets which do not correspond to any rule. If you want to specify an accept policy for those packets, you have to load module passing a parameter to it:

modprobe ipfi policy="accept"

In this way, default policy is to accept all packets which are not explicitly dropped. You can verify it by reading proc entry:

cat /proc/IPFIRE/policy

Thou should read:

IPFIRE default behaviour when a packet does not match: accept.

Module unloading

When user interface exits, or anyhow ipfirewall userspace program is turned off, if kernel modules remain loaded, packets are filtered according to the default policy adopted when module is loaded or set by means of proc interface. If administrator desires to unload module when userspace firewall exits, he can do it in two ways:

NOTE: during system halt, if services need network communication and IPFIRE user interface has gone off and kernel module remains loaded, it is possible that they remain waiting to be able to communicate, although that's not allowed if firewall policy was set to drop packets by default.

Valid XHTML 1.0!

Top of page
Back to index
Next page (/proc interface)
Previous page (kernel dynamic tables)