Bug 236888 - ip6tables service tries to start also if ipv6 not configured during installation
Summary: ip6tables service tries to start also if ipv6 not configured during installation
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: rawhide
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: FC7Blocker
TreeView+ depends on / blocked
 
Reported: 2007-04-18 09:48 UTC by Gianluca Cecchi
Modified: 2007-11-30 22:12 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-09-26 16:28:16 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gianluca Cecchi 2007-04-18 09:48:50 UTC 
Description of problem:
ip6tables service is activated and gives error even if during installation you
deselect it from the ip options 

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.7-1.1.x86_64.rpm

How reproducible:
install, deselect ipv6 and watch startup

Steps to Reproduce:
1.
2.
3.
  
Actual results:
ip6tables starts

Expected results:
ip6tables skipped

Additional info:
I think during installation it would be possible to remove the file
IP6TABLES_DATA=/etc/sysconfig/ip6tables
if ipv6 option is not selected
infact during startup of the service there is

start() {
    # Do not start if there is no config file.
    [ -f "$IP6TABLES_DATA" ] || return 1
...

or set up the ip6tables service non to start via chkconfig....
Comment 1 Jeremy Katz 2007-04-23 15:30:29 UTC 
Far better would be to have the initscript determine whether the kernel supports
ipv6 and just exit silently if not.  And it looks like
   if [ ! -d /proc/sys/net/ipv6 ]; then exit 1; fi
would be a good way to check
Comment 2 Gianluca Cecchi 2007-04-23 16:32:18 UTC 
I agree.
Comment 3 Jeremy Katz 2007-04-23 18:58:50 UTC 
Done in 1.3.7-2
Comment 4 Chad Hanson 2007-06-01 18:59:12 UTC 
(In reply to comment #1)
> Far better would be to have the initscript determine whether the kernel supports
> ipv6 and just exit silently if not.  And it looks like
>    if [ ! -d /proc/sys/net/ipv6 ]; then exit 1; fi
> would be a good way to check

Does this really have the intended effect? I'm not sure this is ever present at
boot time. In F7, ip6tables won't start at boot due to this this check, however,
running the script while the system is running will succeed if ipv6 is enabled.
The same holds true with this version on RHEL 5 as well.

Bugs such as https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879 are
hidden due to this as well.
Comment 5 Peter Bieringer 2007-06-18 19:13:26 UTC 
Fixing this issue in this manner now causes a BIG SECURITY ISSUE on all IPv6
enabled FC7 (perhaps also FC6 systems). Because now, if IPv6 module is loaded
during S10network, the ip6tables ruleset is never applied - that is sure not the
intention. Default is now ACCEPT on incoming IPv6!

See also: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244721

Looks like there is a henn-egg problem. Probably the best solution would be to
move ip6tables start from S08 to S11. In this case only a short time the ACCEPT
rules are active.

Another solution would be to call "service ip6tables start" from network
functions, if IPv6 module is loaded.

BTW: please test such changes next time in an IPv6-enabled environment also to
get sure not causing such security issue by a "minor" change!
Comment 6 Josh Bressers 2007-06-29 12:41:48 UTC 
I'm going to reopen this bug.  This fix appears to need fixing.
Comment 7 Thomas Woerner 2007-09-26 16:28:16 UTC 
Fixed in rawhide in package iptables-1.3.8-4.1 or newer.

You have to blacklist the ipv6 module in /etc/modprobe.conf or /etc/modprobe.d/*
Note You need to log in before you can comment on or make changes to this bug.