Bug 236888
| Summary: | ip6tables service tries to start also if ipv6 not configured during installation | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gianluca Cecchi <gianluca.cecchi> |
| Component: | iptables | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | bressers, cra, pb, sgrubb |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-09-26 16:28:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 150226 | ||
Far better would be to have the initscript determine whether the kernel supports ipv6 and just exit silently if not. And it looks like if [ ! -d /proc/sys/net/ipv6 ]; then exit 1; fi would be a good way to check I agree. Done in 1.3.7-2 (In reply to comment #1) > Far better would be to have the initscript determine whether the kernel supports > ipv6 and just exit silently if not. And it looks like > if [ ! -d /proc/sys/net/ipv6 ]; then exit 1; fi > would be a good way to check Does this really have the intended effect? I'm not sure this is ever present at boot time. In F7, ip6tables won't start at boot due to this this check, however, running the script while the system is running will succeed if ipv6 is enabled. The same holds true with this version on RHEL 5 as well. Bugs such as https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879 are hidden due to this as well. Fixing this issue in this manner now causes a BIG SECURITY ISSUE on all IPv6 enabled FC7 (perhaps also FC6 systems). Because now, if IPv6 module is loaded during S10network, the ip6tables ruleset is never applied - that is sure not the intention. Default is now ACCEPT on incoming IPv6! See also: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244721 Looks like there is a henn-egg problem. Probably the best solution would be to move ip6tables start from S08 to S11. In this case only a short time the ACCEPT rules are active. Another solution would be to call "service ip6tables start" from network functions, if IPv6 module is loaded. BTW: please test such changes next time in an IPv6-enabled environment also to get sure not causing such security issue by a "minor" change! I'm going to reopen this bug. This fix appears to need fixing. Fixed in rawhide in package iptables-1.3.8-4.1 or newer. You have to blacklist the ipv6 module in /etc/modprobe.conf or /etc/modprobe.d/* |
Description of problem: ip6tables service is activated and gives error even if during installation you deselect it from the ip options Version-Release number of selected component (if applicable): iptables-ipv6-1.3.7-1.1.x86_64.rpm How reproducible: install, deselect ipv6 and watch startup Steps to Reproduce: 1. 2. 3. Actual results: ip6tables starts Expected results: ip6tables skipped Additional info: I think during installation it would be possible to remove the file IP6TABLES_DATA=/etc/sysconfig/ip6tables if ipv6 option is not selected infact during startup of the service there is start() { # Do not start if there is no config file. [ -f "$IP6TABLES_DATA" ] || return 1 ... or set up the ip6tables service non to start via chkconfig....