Add support for loading xtables modules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3925 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/install.sh

@@ -389,12 +389,18 @@ if [ ! -f ${PREFIX}/etc/shorewall/masq ]; then
     echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
 fi
 #
-# Install the Modules file
+# Install the Modules files
 #
-if [ ! -f ${PREFIX}/etc/shorewall/modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
-    echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
+if [ ! -f ${PREFIX}/usr/share/shorewall/modules ]; then
+    run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules
+    echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules"
 fi
+
+if [ ! -f ${PREFIX}/usr/share/shorewall/xmodules ]; then
+    run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/xmodules
+    echo "Xmodules file installed as ${PREFIX}/usr/share/shorewall/xmodules"
+fi
+
 #
 # Install the TC Rules file
 #

Shorewall/releasenotes.txt

@@ -24,6 +24,10 @@ Note to users upgrading from Shorewall 2.x or 3.0
 	172.16.0.0 - 172.31.255.255
 	192.168.0.0 - 192.168.255.255
 
+   If you have a file named /etc/shorewall/modules, please remove
+   it. The default modules file is now located in /usr/share/shorewall/
+   (see the "Migration Considerations" below).
+
    Please see the "Migration Considerations" below for additional upgrade
    information.
 
@@ -47,6 +51,21 @@ Other changes in 3.2.0 Beta 8
     "all+-" means "All zones except the firewall" and intra-zone
     traffic is included.
 
+2)  Kernel version 2.6.16 introduces 'xtables', a new common packet
+    filtering and connection tracking facility that supports both IPv4
+    and IPv6. Because a different set of kernel modules must be loaded
+    for xtables, Shorewall now includes two 'modules' files:
+
+    a) /usr/share/shorewall/modules -- the former
+    /etc/shorewall/modules
+
+    b) /usr/share/shorewall/xmodules -- a new file that support
+    xtables.
+
+    If you wish to use the new file, then simply execute this command:
+
+    cp -f /usr/share/shorewall/xmodules /etc/modules
+
 Migration Considerations:
 
 1)  If you are upgrading from Shorewall 2.x, it is essential that you read
@@ -147,6 +166,21 @@ Migration Considerations:
     b)  When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
 	in the PREROUTING chain (i.e., you can specify a mark value of zero).
 
+7)  Kernel version 2.6.16 introduces 'xtables', a new common packet
+    filtering and connection tracking facility that supports both IPv4
+    and IPv6. Because a different set of kernel modules must be loaded
+    for xtables, Shorewall now includes two 'modules' files:
+
+    a) /usr/share/shorewall/modules -- the former
+    /etc/shorewall/modules
+
+    b) /usr/share/shorewall/xmodules -- a new file that support
+    xtables.
+
+    If you wish to use the new file, then simply execute this command:
+
+    cp -f /usr/share/shorewall/xmodules /etc/modules
+
 New Features:
 
 1)  Shorewall has always been very noisy (lots of messages). No longer.
@@ -395,6 +429,21 @@ New Features:
 
     As part of this change, Shorewall no longer adds the "--syn" option
     to TCP rules that specify QUEUE as their target.
+2)  Kernel version 2.6.16 introduces 'xtables', a new common packet
+    filtering and connection tracking facility that supports both IPv4
+    and IPv6. Because a different set of kernel modules must be loaded
+    for xtables, Shorewall now includes two 'modules' files:
+
+    a) /usr/share/shorewall/modules -- the former
+    /etc/shorewall/modules
+
+    b) /usr/share/shorewall/xmodules -- a new file that support
+    xtables.
+
+    If you wish to use the new file, then simply execute this command:
+
+    cp -f /usr/share/shorewall/xmodules /etc/modules
+
 
 6)  /sbin/shorewall now supports a "-t" option that causes all progress
     messages to be timestamped.

Shorewall/shorewall.spec

@@ -80,7 +80,6 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
-%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/tos
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
@@ -166,6 +165,7 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/macro.Web
 %attr(0644,root,root) /usr/share/shorewall/macro.Webmin
 %attr(0644,root,root) /usr/share/shorewall/macro.Whois
+%attr(0644,root,root) /usr/share/shorewall/modules
 %attr(0644,root,root) /usr/share/shorewall/prog.footer
 %attr(0644,root,root) /usr/share/shorewall/prog.header
 %attr(0644,root,root) /usr/share/shorewall/prog.footer.debian
@@ -176,6 +176,7 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/prog.header.suse
 %attr(0644,root,root) /usr/share/shorewall/rfc1918
 %attr(0644,root,root) /usr/share/shorewall/configpath
+%attr(0644,root,root) /usr/share/shorewall/xmodules
 
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 

Shorewall/xmodules

@@ -0,0 +1,118 @@
+#
+# Shorewall version 3.2 - xtables Modules File
+#
+# /etc/shorewall/xmodules
+#
+#	This file loads the modules needed by the firewall on 2.6.16 and later
+#	kernels.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#modules
+#
+###############################################################################
+#
+# Essential Modules
+#
+loadmodule nfnetlink
+loadmodule x_tables
+loadmodule ip_tables
+loadmodule iptable_filter
+loadmodule iptable_mangle
+loadmodule ip_conntrack
+loadmodule iptable_nat
+loadmodule xt_state
+loadmodule xt_tcpudp
+#
+# Other xtables modules
+#
+loadmodule xt_CLASSIFY
+loadmodule xt_connmark
+loadmodule xt_CONNMARK
+loadmodule xt_conntrack
+loadmodule xt_dccp
+loadmodule xt_helper
+loadmodule xt_length
+loadmodule xt_limit
+loadmodule xt_mac
+loadmodule xt_mark
+loadmodule xt_MARK
+loadmodule xt_NFQUEUE
+loadmodule xt_physdev
+loadmodule xt_pkttype
+loadmodule xt_tcpmss
+#
+# Helpers
+#
+loadmodule ip_conntrack_ftp
+loadmodule ip_conntrack_tftp
+loadmodule ip_conntrack_irc
+loadmodule iptable_nat
+loadmodule ip_nat_ftp
+loadmodule ip_nat_tftp
+loadmodule ip_nat_irc
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
+#
+# Traffic Shaping
+#
+loadmodule sch_sfq
+loadmodule sch_ingress
+loadmodule sch_htb
+loadmodule cls_u32
+#
+# Extensions
+#
+loadmodule ipt_addrtype
+loadmodule ipt_ah
+loadmodule ipt_CLASSIFY
+loadmodule ipt_CLUSTERIP
+loadmodule ipt_comment
+loadmodule ipt_connmark
+loadmodule ipt_CONNMARK
+loadmodule ipt_conntrack
+loadmodule ipt_dscp
+loadmodule ipt_DSCP
+loadmodule ipt_ecn
+loadmodule ipt_ECN
+loadmodule ipt_esp
+loadmodule ipt_hashlimit
+loadmodule ipt_helper
+loadmodule ipt_ipp2p
+loadmodule ipt_iprange
+loadmodule ipt_length
+loadmodule ipt_limit
+loadmodule ipt_LOG
+loadmodule ipt_mac
+loadmodule ipt_mark
+loadmodule ipt_MARK
+loadmodule ipt_MASQUERADE
+loadmodule ipt_multiport
+loadmodule ipt_NETMAP
+loadmodule ipt_NOTRACK
+loadmodule ipt_owner
+loadmodule ipt_physdev
+loadmodule ipt_pkttype
+loadmodule ipt_policy
+loadmodule ipt_realm
+loadmodule ipt_recent
+loadmodule ipt_REDIRECT
+loadmodule ipt_REJECT
+loadmodule ipt_SAME
+loadmodule ipt_sctp
+loadmodule ipt_set
+loadmodule ipt_state
+loadmodule ipt_tcpmss
+loadmodule ipt_TCPMSS
+loadmodule ipt_tos
+loadmodule ipt_TOS
+loadmodule ipt_ttl
+loadmodule ipt_TTL
+loadmodule ipt_ULOG
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE