Amazon Linux 2 latest 4.14 kernel breaks nftables

Question

Starting with amzn2-ami-hvm-2.0.20240131.0-x86_64-gp2

```

sudo -s
yum install nftables
nft add table ip filter
# works fine on kernel  4.14.336-253.554.amzn2.x86_64
yum update -y 
# installs kernel 4.14.336-255.557.amzn2.x86_64
reboot

sudo -s
nft add table ip filter
Error: Could not process rule: Operation not supported
add table ip filter
^^^^^^^^^^^^^^^^^^^^
```

It seems that kernel 4.14.336-255.557 has broken netfilter in some way.

nf_tables kernel module is loaded:

```
# lsmod | grep nf
nf_tables             110592  0
nfnetlink              16384  1 nf_tables
```

Also the same command works fine on the latest 5.10 kernel.

Any ideas how to fix this?

Thanks,
Douglas.

Answer

Hello Douglas,

Greetings of the day! Thank you for contacting AWS.

To assist you here, I tried to replicate the issue in my lab environment where I was able to reproduce the issue with the mentioned kernel version and observed same error message :

```
$ uname -r
4.14.336-255.557.amzn2.x86_64

$ nft add table ip filter
Error: Could not process rule: Operation not supported
add table ip filter
```

I have checked this internally and I have found that it is a known bug to us, where you are unable to install nftables rules on the kernel version in question.

The internal team is fully aware of the situation and they are working on it to deploy the mitigations very soon. Other kernels or other functionality are not affected. Remaining on the previous 4.14 kernel build or upgrading to kernel 5.10 also works around the issue.

I do not have the ETA for this at the moment however I can assure you that our amazon linux team is working on it.

As part of general security practice we recommend using Amazon VPC and Amazon EC2 security groups for controlling network access to your instances: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security.html

Thank you and Wish you a good day ahead !

Amazon Linux 2 latest 4.14 kernel breaks nftables

Relevant content