[BUG] firewalld.service fails due to missing modules

[litian1992]

WALA invokes a few firewall rules which depend on certain kernel modules. e.g. "-m owner" and "-m conntrack" rely on xt_owner and xt_conntrack. These modules reside in kernel-modules-extra package for distros like RHEL.
Because kernel-modules-extra is not a dependency of iptables or firewalld, these rules can fail.
Culprit: https://github.com/Azure/WALinuxAgent/blob/master/azurelinuxagent/ga/firewall_manager.py#L377

This is not an issue previously because kernel package pulls in kernel-modules-extra with kernel-modules-extra-matched which is a dependency of iptables. Unfortunately this is not the case in term of UKI.

Example failure messages:

firewalld[8037]: 
ERROR: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: Warning: Extension tcp revision 0 not supported, missing kernel module? 
Warning: Extension owner revision 0 not supported, missing kernel module? 
Warning: Extension conntrack revision 0 not supported, missing kernel module? 
iptables-restore v1.8.11 (nf_tables): 
line 3: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT 
line 4: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT 

Therefore, WALA should add some checks/fallbacks when these kernel modules don't exist.

[narrieta]

@litian1992 Thanks for reporting this. Sounds like kernel-modules-extra should be a dependency of the waagent package.

[litian1992]

Sounds like kernel-modules-extra should be a dependency of the waagent package.

I'm not certain of that. The 'kernel-modules-extra' package in distro like RHEL has a hard dependency on 'kernel-modules'. Neither of which are desired in a UKI system. We are discussing internally of moving those mentioned modules to modules-extra-matched. But fallbacks seem reasonable for WALA.

[narrieta]

@litian1992 let me try to start an internal conversation with our contacts in Red Hat, I'll add you to it.

[litian1992]

We are discussing internally of moving those mentioned modules to modules-extra-matched.

Scratch this. I amended the fallback logic for both iptables and firewall-cmd to nftables and network-setup service respectively in the PR. Hope it helps.

@litian1992 let me try to start an internal conversation with our contacts in Red Hat, I'll add you to it.

Hope you had a good holiday @narrieta. Any updates on this subject?

[narrieta]

@litian1992 we reached out to Red Hat a couple of days ago.

[narrieta]

@litian1992 I see that you changed the approach in the PR. This may be more appropriate. Is there an image in the marketplace where we can test this?

[litian1992]

@litian1992 I see that you changed the approach in the PR. This may be more appropriate. Is there an image in the marketplace where we can test this?

I dropped the patch in a RHEL 10.2 image which is in my gallery. Firewalld doesn't have those persistent rules anymore and is running fine. Instead,

2026-01-08T05:24:05.390095Z INFO ExtHandler Fetch goal state from WireServer completed
2026-01-08T05:24:05.390366Z INFO ExtHandler ExtHandler Goal state initialization completed.
2026-01-08T05:24:05.401347Z INFO ExtHandler ExtHandler OpenSSL version: OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)

2026-01-08T05:24:05.448164Z INFO ExtHandler ExtHandler Using nft [version nftables v1.1.5 (Commodore Bullmoose #6)] to manage firewall rules
2026-01-08T05:24:05.448585Z INFO ExtHandler ExtHandler Checking state of the firewall
2026-01-08T05:24:05.534445Z INFO ExtHandler ExtHandler Created firewall rules for Azure Fabric:
table ip walinuxagent {
        chain output {
                type filter hook output priority filter; policy accept;
                ip daddr 168.63.129.16 tcp dport != 53 meta skuid != 0 ct state invalid,new counter packets 0 bytes 0 drop
        }
}

2026-01-08T05:24:05.534927Z INFO ExtHandler ExtHandler Setting up persistent firewall rules
2026-01-08T05:24:05.752443Z INFO ExtHandler ExtHandler The firewalld service is running
2026-01-08T05:24:05.752637Z INFO ExtHandler ExtHandler Firewalld.service is running, setting up permanent rules on the VM
2026-01-08T05:24:05.756642Z WARNING ExtHandler ExtHandler Cannot use firewall-cmd for persistent rules: Required kernel modules (xt_owner, xt_conntrack) are not available for firewall-cmd. Falling back to custom network-setup service.
2026-01-08T05:24:05.757038Z INFO ExtHandler ExtHandler Successfully updated the Binary file /var/lib/waagent/waagent-network-setup.py for firewall setup
2026-01-08T05:24:05.763575Z INFO ExtHandler ExtHandler Service: waagent-network-setup.service not enabled. Adding it now
2026-01-08T05:24:06.388754Z INFO ExtHandler ExtHandler Successfully added and enabled the waagent-network-setup.service

[narrieta]

Thanks, but I need to test this on my side. We haven't' got a reply from the contact in Red Hat that we reached out to. Do you have a way to share that image with me? I'll also ask our internal team to reach out to Red Hat again.

[litian1992]

@narrieta Just a friendly ping. Did you or anyone have a chance testing the image provided? Thanks.

[litian1992]

Hello @narrieta if the proposed patch doesn't look fit, I'm happy to drop it. But we have a realistic issue to address here in RHEL. So please let me know either way. Thank you.

[litian1992]

@narrieta I changed to a even simpler logic. Please have a look? We decided to not install iptables in RHEL CVM images in the future.