Problems with unloading kernel-module Rocky Linux 8 and 9

Hi.

Due to CVE-2023-32233, a vulnerability in the netfilter subsystem of the kernel, Redhat recommends two possible mitigations. ( https://access.redhat.com/security/cve/cve-2023-32233)

One mitigation is to set /proc/sys/user/max_user_namespaces=0 which is easy enough, but this solution is not suitable for systems running containers.

For systems running containers the workaround is to prevent the nf_tables kernel module from loading, and the first step is to unload it from the running system.

This works fine for CentOS7-systems, but for Rocky Linux 8 and 9 I get the following errormessage:

$sudo systemctl status nftables
nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)
CPU: 0

It looks like the module is not in use, but it is not possible to unload it ?

$sudo modprobe -r nf_tables
modprobe: FATAL: Module nf_tables is in use.

I would really appreciate it if anyone has any suggestions here.

Regards, Kristin

el8 and el9 do have two (mutually exclusive) services for firewall management.
The nftables.service is not the default. The FirewallD is. See:

sudo systemctl status firewalld

The issue is that both of these do use nf_tables as the backend.
Even the command iptables is a mere wrapper that talks to nf_tables.

The el7 has the nf_tables as an add-on and firewall management talks to
netfilter in the kernel (unless you explicitly install and use nftables.service).

Hi.
Thanks for clearing that up ! Makes sense. The best is probably to wait for a patch then.

Kristin