Red Hat Bugzilla – Bug 292551
ipv6 installed and used despite "IPv6 Disabled" in configuration menu
Last modified: 2007-11-30 17:12:15 EST
Description of problem: The installed system runs ipv6 (loads kernel module ipv6
and uses it for networking services) despite having "Disabled" in the
IPv6/Prefix portion of the graphical configuration menu for Network Devices.
Version-Release number of selected component (if applicable):
How reproducible: always
Steps to Reproduce:
1. Boot rescue disk
2. Network install via http
3. Disable IPv6 for installer itself
4. Confirm "Disabled" in IPv6/Prefix section of configuration for Network Devices.
Actual results: Installed system loads kernel module ipv6, and networking uses
ipv6. The installed system contains no line "blacklist ipv6" in any file in
directory /etc/udev/rules.d, which seems to be the prefered mechanism for
actually inhibiting the use of ipv6. All kickstart lines for 'network' in
/root/anaconda-cfg.ks omit "--nopiv6" which would seem to be required if
"Disable IPv6" were to be propagated from the installer to the installed system.
Expected results: Installed system does not use ipv6, and kernel module ipv6 is
The observed behavior might quality as a security risk, because a facility that
was intended not to be used was not disabled.
See also bug # 241667 "--noipv6 option for network is ignored" in RHEL5.
This is as designed. At one point in time, I was writing out the 'blacklist
ipv6' line. However, Fedora will now always load the ipv6 module, but not
necessarily configure the interface. If you disable IPv6 during installation,
the IPv6 stack will not be configured, but the module will still be loaded.
This is not something that will change in Fedora, we are going to have the dual
stack from now on, but not necessarily configured. If users want to forcibly
prevent ipv6.ko from loading, you will have to do that by hand either in a
kickstart %post section or manually after installation.
There is a push to limit things like 'blacklist ipv6' setting by the installer
because that's really something we should never care about and neither should a
majority of the users. That's why it was removed. That and wanting to make
sure that software works with dual stack IPv4/IPv6 systems.