Bug 375581 - a netfiter module re-enables ipv6 when disabled
a netfiter module re-enables ipv6 when disabled
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-11 02:08 EST by Jerry Vonau
Modified: 2007-12-13 20:00 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-26 23:06:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry Vonau 2007-11-11 02:08:25 EST
Description of problem:
I run my boxes with ip6 disabled, you know, don't
run what is not needed. I couldn't figure out why I was seeing ipv6
addresses on my interfaces, and ipv6 module was loaded when I know that
I disabled ipv6 in modprobe.conf and sysconfig/network. I disabled the
startup on any services that I start on boot except for the network, and
the ipv6 addresses were gone. Upon starting just shorewall, the
addresses were back, shorewall loads the module nf_nat_h323 which loads the
nf_conntrack_h323 module, and that loads ipv6! 

Version-Release number of selected component (if applicable):
1.3.8-5.fc8

How reproducible:
always

Steps to Reproduce:
1.disable ipv6
2.modprobe nf_nat_h323
3.
  
Actual results:
ipv6 addresses get assigned to the interfaces.

Expected results:
ipv6 stays disabled

Additional info:
I've disabled the loading of nf_nat_h323 and the ipv6 addresses don't appear.
Comment 1 Thomas Woerner 2007-11-12 05:35:48 EST
I can reproduce the problem here. nf_conntrack_h323 has a dependency on the ipv6
module.

This is not an iptables userland problem, therefore assigning to kernel.
Comment 2 Thomas Woerner 2007-11-12 05:42:31 EST
The missing symbol is: ip6_route_output
Comment 3 Dave Jones 2007-11-26 23:06:19 EST
There's no clean way to remove the dependancy other than to fork the h323 code
into a seperate ip6 version, which would be 99% the same (other than that
function) which seems like ridiculous overkill.

There's no quick fix here, so if having ipv6.ko loaded is an issue for you, I'd
suggest to bring it up with the upstream networking developers on
netdev@vger.kernel.org
Comment 4 Jerry Vonau 2007-11-27 13:25:15 EST
Nothing should override a system configuration option. I think it would be best
if nf_conntrack_h323 couldn't load, if ipv6 was not already loaded. It should
refuse to load if ipv6 is disabled, like in this post:
https://bugzilla.novell.com/show_bug.cgi?id=334057 




Comment 5 Chuck Ebbert 2007-11-27 14:49:07 EST
If all else fails, rename or erase ipv6.ko
Comment 6 Jerry Vonau 2007-12-13 20:00:20 EST
FYI Fixed upstream:

http://marc.info/?l=netfilter-devel&m=119676981314842&w=4

Note You need to log in before you can comment on or make changes to this bug.