Bug 375581 - a netfiter module re-enables ipv6 when disabled
Summary: a netfiter module re-enables ipv6 when disabled
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 8
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-11 07:08 UTC by Jerry Vonau
Modified: 2007-12-14 01:00 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-11-27 04:06:19 UTC


Attachments (Terms of Use)

Description Jerry Vonau 2007-11-11 07:08:25 UTC
Description of problem:
I run my boxes with ip6 disabled, you know, don't
run what is not needed. I couldn't figure out why I was seeing ipv6
addresses on my interfaces, and ipv6 module was loaded when I know that
I disabled ipv6 in modprobe.conf and sysconfig/network. I disabled the
startup on any services that I start on boot except for the network, and
the ipv6 addresses were gone. Upon starting just shorewall, the
addresses were back, shorewall loads the module nf_nat_h323 which loads the
nf_conntrack_h323 module, and that loads ipv6! 

Version-Release number of selected component (if applicable):
1.3.8-5.fc8

How reproducible:
always

Steps to Reproduce:
1.disable ipv6
2.modprobe nf_nat_h323
3.
  
Actual results:
ipv6 addresses get assigned to the interfaces.

Expected results:
ipv6 stays disabled

Additional info:
I've disabled the loading of nf_nat_h323 and the ipv6 addresses don't appear.

Comment 1 Thomas Woerner 2007-11-12 10:35:48 UTC
I can reproduce the problem here. nf_conntrack_h323 has a dependency on the ipv6
module.

This is not an iptables userland problem, therefore assigning to kernel.

Comment 2 Thomas Woerner 2007-11-12 10:42:31 UTC
The missing symbol is: ip6_route_output

Comment 3 Dave Jones 2007-11-27 04:06:19 UTC
There's no clean way to remove the dependancy other than to fork the h323 code
into a seperate ip6 version, which would be 99% the same (other than that
function) which seems like ridiculous overkill.

There's no quick fix here, so if having ipv6.ko loaded is an issue for you, I'd
suggest to bring it up with the upstream networking developers on
netdev@vger.kernel.org


Comment 4 Jerry Vonau 2007-11-27 18:25:15 UTC
Nothing should override a system configuration option. I think it would be best
if nf_conntrack_h323 couldn't load, if ipv6 was not already loaded. It should
refuse to load if ipv6 is disabled, like in this post:
https://bugzilla.novell.com/show_bug.cgi?id=334057 






Comment 5 Chuck Ebbert 2007-11-27 19:49:07 UTC
If all else fails, rename or erase ipv6.ko

Comment 6 Jerry Vonau 2007-12-14 01:00:20 UTC
FYI Fixed upstream:

http://marc.info/?l=netfilter-devel&m=119676981314842&w=4



Note You need to log in before you can comment on or make changes to this bug.