Description of problem: ip6tables-restore makes a call to "getprotobyname" before the network is up. If authconfig has configured "protocols" to use ldap as a db source, it will take a very long time to complete. In order to prevent this from being a problem, authconfig should avoid listing ldap as a source for "protocols". Version-Release number of selected component (if applicable): authconfig-5.3.12-2.el5 How reproducible: always Steps to Reproduce: 1. configure a system to use ldap for user info, using authconfig 2. reboot
This looks related to Fedora Core 6 bug # 214141.
Created attachment 158631 [details] A patch workaround for ip6tables This patch to /etc/sysconfig/ip6tables.conf works around the problem by eliminating the use of the symbolic protocol specified, replacing it with a literal number. The protocol number for IPv6 ICMP is 58. So, this works in ip6tables.conf to accept ipv6-icmp traffic: -A RH-Firewall-1-INPUT -p 58 -j ACCEPT Putting any symbolic value in the protocol makes ip6tables-restore hang: -A RH-Firewall-1-INPUT -p icmp6 -j ACCEPT -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT -A RH-Firewall-1-INPUT -p ipv6-icmp -j ACCEPT -A RH-Firewall-1-INPUT -p foo -j ACCEPT These all yield the same result.
Ooops, I meant just "A patch workaround for /etc/sysconfig/ip6tables". The fix for this should probably go into system-config-securitylevel, since that is what is generating the "-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT" line. ip6tables-restore could probably also be patched to hardcode the icmpv6 protocol number to avoid a lookup. It's not as if that is going to change any time soon. I wonder why ip6tables-restore has this issue, but iptables-restore does not, though /etc/sysconfig/iptables has "icmp" as a symbol.
Changing /etc/nsswitch.conf so that protocols are only looked up from files also resolves the issue: protocols: files
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0375.html