Skip to content

firewall_manager: Add fallbacks when missing kernel modules#3511

Open
litian1992 wants to merge 1 commit intoAzure:developfrom
litian1992:litian-missing-modules
Open

firewall_manager: Add fallbacks when missing kernel modules#3511
litian1992 wants to merge 1 commit intoAzure:developfrom
litian1992:litian-missing-modules

Conversation

@litian1992
Copy link
Copy Markdown
Contributor

@litian1992 litian1992 commented Dec 17, 2025
edited
Loading

Description

There are firewall rules invoked without checking the existence of the dependent kernel modules, e.g. xt_owner and xt_conntrack. These modules reside in kernel-modules-extra in distros like RHEL. The kernel-modules-extra package is not a dependency of iptables in terms of UKI. Thus the existence deserves checking. In case they are not present, fallback to nftables from iptables; to network-setup service from firewall-cmd respectively.

Issue #3510

PR information

  • Ensure development PR is based on the develop branch.
  • If applicable, the PR references the bug/issue that it fixes in the description.
  • New Unit tests were added for the changes made

Quality of Code and Contribution Guidelines

Distro maintenance information, if applicable

  • This is a contribution from a distro maintainer
  • The changes in this PR have been taken as a downstream patch (Note: it is not recommended to patch the agent without upstream review and approval)

@narrieta narrieta self-assigned this Dec 17, 2025
@litian1992 litian1992 force-pushed the litian-missing-modules branch from 50b3525 to 1ddb664 Compare December 18, 2025 01:22
@litian1992 litian1992 force-pushed the litian-missing-modules branch from 1ddb664 to 2ee7000 Compare January 8, 2026 03:54
@litian1992 litian1992 force-pushed the litian-missing-modules branch from 2ee7000 to 261982a Compare March 27, 2026 03:49
@litian1992
firewall_manager: Add fallback logics when iptables unavailable
0eef88a 
In distro like RHEL, iptables relies on xt_conntrack and xt_owner
kernel modules which live in kernel-modules-extra package. It is
undesired in the world of UKI. Thus it's decided to be removed.
Therefore in case of missing iptables, firewall-cmd needs checking.
Fallback to network-setup service.

Signed-off-by: Li Tian <litian@redhat.com>
@litian1992 litian1992 force-pushed the litian-missing-modules branch from 261982a to 0eef88a Compare March 27, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@narrieta narrieta Awaiting requested review from narrieta narrieta is a code owner

@ZhidongPeng ZhidongPeng Awaiting requested review from ZhidongPeng

@nagworld9 nagworld9 Awaiting requested review from nagworld9 nagworld9 is a code owner

@maddieford maddieford Awaiting requested review from maddieford maddieford is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@narrieta narrieta

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@litian1992 @narrieta