Hi.
Due to CVE-2023-32233, a vulnerability in the netfilter subsystem of the kernel, Redhat recommends two possible mitigations. ( https://access.redhat.com/security/cve/cve-2023-32233)
One mitigation is to set /proc/sys/user/max_user_namespaces=0 which is easy enough, but this solution is not suitable for systems running containers.
For systems running containers the workaround is to prevent the nf_tables kernel module from loading, and the first step is to unload it from the running system.
This works fine for CentOS7-systems, but for Rocky Linux 8 and 9 I get the following errormessage:
$sudo systemctl status nftables
nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)
CPU: 0
It looks like the module is not in use, but it is not possible to unload it ?
$sudo modprobe -r nf_tables
modprobe: FATAL: Module nf_tables is in use.
I would really appreciate it if anyone has any suggestions here.
Regards, Kristin