new kernel is out 2.6.32.13-2

BruceLee · **Posted:** Wed Jun 02, 2010 5:21 am

Hi Scott and Mike,

I see a new kernel 2.6.32.13-2.art in ASL repo.
There was no announcement. Whats the difference between
2.6.32.13-2 and 2.6.32.8-1?

Thanks

BruceLee · **Posted:** Wed Jun 09, 2010 3:46 am

nothing about the new kernel?
Thanks

biggles · **Posted:** Wed Jun 09, 2010 3:14 pm

I'm running it. Seems to work. I have one problem though. It seems like newer kernels handles IPv6 differently. Combined with the new gradm (gradm-2.1.14-6) released a few days ago, I get a lot of errors like this:

Code:

Jun  9 08:16:16 server7 kernel: grsec: From 85.226.78.90: denied kernel module auto-load of net-pf-10 by /usr/sbin/httpd[httpd:28623] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:24361] uid/euid:0/0 gid/egid:0/0

Earlier I also got the same kind of errors from DCC:

Jun 5 10:03:39 server7 kernel: grsec: denied kernel module auto-load of net-pf-10 by /usr/bin/dccproc[dccproc:13588] uid/euid:10020/10020 gid/egid:0/0, parent /usr/bin/spamd[spamd:7568] uid/euid:0/10020 gid/egid:0/103

I managed to get the ones from DCC to go away by disabling IPv6 functionality in DCC

Code:

cdcc ipv6 off

I have followed http://wiki.centos.org/FAQ/CentOS5#head-47912ebdae3b5ac10ff76053ef057c366b421dc4 to disable IPv6

I don't get any output from

Code:

lsmod | grep v6

but httpd still tries to load the net-pf-10 module resulting in a grsec error message and an ossec notification. The fastest way of triggering it is to load a wordpress site on the server.

So, over to my question. Anyone know how to definitely disable IPv6 so httpd doesn't pick it up and try to load the net-pf-10 module? Or is there a way to configure httpd not to use IPv6 at all?

PS This didn't happen before this kernel, so something must have changed in the way the kernel presents IPv6 to the system...

mneese77 · **Joined:** Wed May 12, 2010 5:40 pm **Posts:** 137

I too have updated the kernel, and I too am having many errors regarding net-pf-10.
I have disabled the IPv6 using the steps outlined in this forum by mike, and until the kernel upgrade, seemed to be fine.

I do not have the answer, but thought I would chip in a "me too" to this issue.

biggles · **Posted:** Wed Jun 09, 2010 4:00 pm

Thanks a lot for that! Thought I was the only one out there...

I been trying to solve this with Mike in the support portal, but he (and I) felt we started to get close to the end of the included ASL-support line, and I would like to see if we can find a solution in the forums.

mikeshinn · **Posted:** Wed Jun 09, 2010 6:30 pm

What happens if you add:

alias net-pf-10 ipv6 off
alias net-pf-10 off
alias ipv6 off

to /etc/modprobe.conf

You could also create a bad_list:

/etc/modprobe.d /bad_list

and add to that file this line:

alias net-pf-10 off

Then reboot. You can check to see if ipv6 is enabled with this command:

ip a | grep inet6

biggles · **Posted:** Thu Jun 10, 2010 12:35 am

Tried them all an still get the error.

It even starts during boot. named also tried to load the net-pf-10 module.

Also sees this in boot:

Code:

ip6_tables: (C) 2000-2006 Netfilter Core Team
ip6t_REJECT: Unknown symbol ip6_local_out
ip6t_REJECT: Unknown symbol ip6_route_output
ip6t_REJECT: Unknown symbol icmpv6_send
nf_conntrack_ipv6: Unknown symbol ip6_frag_match
nf_conntrack_ipv6: Unknown symbol nf_ip6_checksum
nf_conntrack_ipv6: Unknown symbol ip6_frag_init
nf_conntrack_ipv6: Unknown symbol inet6_hash_frag

You would think this means that ip6tables is trying to start... But it is disabled.

Code:

chkconfig --list | grep 6table
ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off

scott · **Posted:** Thu Jun 10, 2010 11:49 am

Might want to take a look at this from the CentOS FAQ

http://wiki.centos.org/FAQ/CentOS5#head ... 366b421dc4

breun · **Posted:** Thu Jun 10, 2010 11:56 am

I had to go back from 2.6.32.13-2 to 2.6.32.8-1 (never installed 2.6.32.13-1) on one CentOS 4.8 box, because the iowait went through the roof. Not sure if it's related to this IPv6 problem, but I thought I'd mention it just in case.

biggles · **Posted:** Thu Jun 10, 2010 1:17 pm

scott wrote:

Might want to take a look at this from the CentOS FAQ

http://wiki.centos.org/FAQ/CentOS5#head ... 366b421dc4

Already tried all of it...

mneese77 · **Joined:** Wed May 12, 2010 5:40 pm **Posts:** 137

I have in the past disabled IV6, but I am getting the messages in my var/log/messages

Quote:

denied kernel module auto-load of net-pf-10 by /usr/bin/php-cgi[php-cgi:32021]

This however is not in my httpd/error_log

I just ran the command

Quote:

ip a | grep inet6

which returned nothing...so, I assume ipV6 is disabled...but...

Quote:

chkconfig --list | grep 6table
ip6tables 0:off 1:off 2:on 3:off 4:off 5:off 6:off

Can I assume that because these are messages and not errors, there is nothing to be concerned about?

breun · **Posted:** Fri Jun 11, 2010 2:41 am

On some servers I see a lot of 'denied kernel module auto-load of net-pf-10' coming by in /var/log/messages, others not so much (just a few). I believe this is the cause of (or at least has to do with) the iowait problems I have seen on some of our servers. Rolling back to a previous kernel helped.

biggles · **Posted:** Fri Jun 11, 2010 3:56 am

I am starting to think this might be a good idea... It's getting really annoying...

biggles · **Posted:** Fri Jun 11, 2010 5:21 am

Interesting. Just had a little debacle trying to use asl2.28 but had to return to 2.27. Then I also got an error message from asl-httpd.

Jun 11 10:05:17 server7 kernel: grsec: From 111.222.333.444 : denied kernel module auto-load of net-pf-10 by /var/asl/usr/sbin/asl-httpd[asl-httpd:6586] uid/euid:10003/10003 gid/egid:10003/10003, parent /var/asl/usr/sbin/asl-httpd[asl-httpd:3054] uid/euid:0/0 gid/egid:0/0

edit: 111.222.333.444 is the IP I accessed from...

breun · **Posted:** Sat Jun 26, 2010 6:26 pm

Has anyone gotten rid of the 'denied kernel module auto-load of net-pf-10' messages yet?

new kernel is out 2.6.32.13-2

Who is online