We recently upgraded from 8.4 to 8.5, and we noticed the default kernel modules for iptables changes.
The modules ip_tables, iptable_nat, and iptable_mangle were no longer loaded by default.
This seems to be a difference from 8.4 where they were loaded. We do have firewalld installed.
This wasn’t really an issue, but it caused the AWS CNI driver for EKS to fail to run if these modules were not loaded. My question is why these modules are no longer loaded default? Is there any reason we should not load them in 8.5?
It might relate to the: Chapter 4. New features Red Hat Enterprise Linux 8 | Red Hat Customer Portal
- firewalld was rebased to 0.9.3
- NetworkManager supports nftables as backend
Moreover, EL8 does not have iptables-legacy iptables: The two variants and their relationship with nftables | Red Hat Developer
Decreasing the use of deprecated features (iptables) seems logical, although breaking existing setups without easy to find documentation does not sound typical RHEL.
Thanks for the link explaining iptables-legacy and iptables-nft.
I believe the source of the problem is the difference in what is installed on the host and what is installed in the AWS CNI driver container image. The image has iptables-legacy and the hosts now have iptables-nft.
I’m still working on the bast way to resolve.