Red Hat Bugzilla – Bug 236888
ip6tables service tries to start also if ipv6 not configured during installation
Last modified: 2007-11-30 17:12:02 EST
Description of problem:
ip6tables service is activated and gives error even if during installation you
deselect it from the ip options
Version-Release number of selected component (if applicable):
install, deselect ipv6 and watch startup
Steps to Reproduce:
I think during installation it would be possible to remove the file
if ipv6 option is not selected
infact during startup of the service there is
# Do not start if there is no config file.
[ -f "$IP6TABLES_DATA" ] || return 1
or set up the ip6tables service non to start via chkconfig....
Far better would be to have the initscript determine whether the kernel supports
ipv6 and just exit silently if not. And it looks like
if [ ! -d /proc/sys/net/ipv6 ]; then exit 1; fi
would be a good way to check
Done in 1.3.7-2
(In reply to comment #1)
> Far better would be to have the initscript determine whether the kernel supports
> ipv6 and just exit silently if not. And it looks like
> if [ ! -d /proc/sys/net/ipv6 ]; then exit 1; fi
> would be a good way to check
Does this really have the intended effect? I'm not sure this is ever present at
boot time. In F7, ip6tables won't start at boot due to this this check, however,
running the script while the system is running will succeed if ipv6 is enabled.
The same holds true with this version on RHEL 5 as well.
Bugs such as https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229879 are
hidden due to this as well.
Fixing this issue in this manner now causes a BIG SECURITY ISSUE on all IPv6
enabled FC7 (perhaps also FC6 systems). Because now, if IPv6 module is loaded
during S10network, the ip6tables ruleset is never applied - that is sure not the
intention. Default is now ACCEPT on incoming IPv6!
See also: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244721
Looks like there is a henn-egg problem. Probably the best solution would be to
move ip6tables start from S08 to S11. In this case only a short time the ACCEPT
rules are active.
Another solution would be to call "service ip6tables start" from network
functions, if IPv6 module is loaded.
BTW: please test such changes next time in an IPv6-enabled environment also to
get sure not causing such security issue by a "minor" change!
I'm going to reopen this bug. This fix appears to need fixing.
Fixed in rawhide in package iptables-1.3.8-4.1 or newer.
You have to blacklist the ipv6 module in /etc/modprobe.conf or /etc/modprobe.d/*