Bugfix 4951: Don't fail if IPv6 kernel module is not loaded.

Handle the case where the IPv6 kernel module is not loaded more gracefully.

1 files changed, 14 insertions, 9 deletions

diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index ea60955..c3a0115 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -44,6 +44,7 @@ declare -a modules=(
 
 ## setup firewall & nat conntrack modules
 start () {
+    
     for mod in ${modules[@]} ; do 
 	modprobe --syslog $mod
     done
@@ -53,9 +54,19 @@ start () {
     iptables -t raw -A PREROUTING -j NOTRACK
     iptables -t raw -A OUTPUT -j NOTRACK
 
-    # set up notrack chains/rules for IPv6
-    ip6tables -t raw -A PREROUTING -j NOTRACK
-    ip6tables -t raw -A OUTPUT -j NOTRACK
+    if [ -d /proc/sys/net/ipv6 ] ; then
+	# set up notrack chains/rules for IPv6
+	ip6tables -t raw -A PREROUTING -j NOTRACK
+	ip6tables -t raw -A OUTPUT -j NOTRACK
+
+	# set up post-firewall hook for IPv6
+	ip6tables -N VYATTA_POST_FW_HOOK
+	ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT
+	ip6tables -A INPUT -j VYATTA_POST_FW_HOOK
+	ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK
+    else
+	logger -t "Vyatta firewall init" -p warning "Kernel IPv6 support disabled.  Not initializing IPv6 firewall"
+    fi
     
     # set up post-firewall hook for IPv4
     iptables -N VYATTA_POST_FW_HOOK
@@ -63,12 +74,6 @@ start () {
     iptables -A INPUT -j VYATTA_POST_FW_HOOK
     iptables -A FORWARD -j VYATTA_POST_FW_HOOK
 
-    # set up post-firewall hook for IPv6
-    ip6tables -N VYATTA_POST_FW_HOOK
-    ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT
-    ip6tables -A INPUT -j VYATTA_POST_FW_HOOK
-    ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK
-
     # set up pre-SNAT hook
     iptables -t nat -N VYATTA_PRE_SNAT_HOOK
     iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN