Red Hat Bugzilla – Bug 375581
a netfiter module re-enables ipv6 when disabled
Last modified: 2007-12-13 20:00:20 EST
Description of problem: I run my boxes with ip6 disabled, you know, don't run what is not needed. I couldn't figure out why I was seeing ipv6 addresses on my interfaces, and ipv6 module was loaded when I know that I disabled ipv6 in modprobe.conf and sysconfig/network. I disabled the startup on any services that I start on boot except for the network, and the ipv6 addresses were gone. Upon starting just shorewall, the addresses were back, shorewall loads the module nf_nat_h323 which loads the nf_conntrack_h323 module, and that loads ipv6! Version-Release number of selected component (if applicable): 1.3.8-5.fc8 How reproducible: always Steps to Reproduce: 1.disable ipv6 2.modprobe nf_nat_h323 3. Actual results: ipv6 addresses get assigned to the interfaces. Expected results: ipv6 stays disabled Additional info: I've disabled the loading of nf_nat_h323 and the ipv6 addresses don't appear.
I can reproduce the problem here. nf_conntrack_h323 has a dependency on the ipv6 module. This is not an iptables userland problem, therefore assigning to kernel.
The missing symbol is: ip6_route_output
There's no clean way to remove the dependancy other than to fork the h323 code into a seperate ip6 version, which would be 99% the same (other than that function) which seems like ridiculous overkill. There's no quick fix here, so if having ipv6.ko loaded is an issue for you, I'd suggest to bring it up with the upstream networking developers on netdev@vger.kernel.org
Nothing should override a system configuration option. I think it would be best if nf_conntrack_h323 couldn't load, if ipv6 was not already loaded. It should refuse to load if ipv6 is disabled, like in this post: https://bugzilla.novell.com/show_bug.cgi?id=334057
If all else fails, rename or erase ipv6.ko
FYI Fixed upstream: http://marc.info/?l=netfilter-devel&m=119676981314842&w=4