fix: ensure critical netfilter modules are loaded on all nodes (adds Rocky 10 support)

k8s/fix-ufw-ds-v2.yaml

@@ -21,6 +21,14 @@ spec:
         command: ["nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "sh", "-c"]
         args:
           - |
+            # Ensure critical kernel modules are loaded for K3s/Flannel/IPTables
+            for mod in br_netfilter overlay xt_conntrack xt_comment xt_mark xt_MASQUERADE; do
+              if ! lsmod | grep -q "^$mod"; then
+                echo "Attempting to load module $mod..."
+                modprobe $mod || echo "Failed to load $mod"
+              fi
+            done
+
             if command -v ufw >/dev/null; then
               ufw allow 8472/udp
               ufw allow 80/tcp
@@ -35,6 +43,7 @@ spec:
               ufw allow from 37.60.237.100
               ufw allow from 167.86.68.48
               ufw allow from 95.111.235.130
+              ufw allow from 80.241.209.235
             elif command -v firewall-cmd >/dev/null; then
               firewall-cmd --permanent --add-port=8472/udp
               firewall-cmd --permanent --add-port=80/tcp
@@ -49,6 +58,14 @@ spec:
               firewall-cmd --permanent --add-source=37.60.237.100
               firewall-cmd --permanent --add-source=167.86.68.48
               firewall-cmd --permanent --add-source=95.111.235.130
+              firewall-cmd --permanent --add-source=80.241.209.235
               firewall-cmd --reload
+            elif command -v dnf >/dev/null && grep -q "Rocky Linux 10" /etc/os-release 2>/dev/null; then
+              # Specific fix for Rocky 10 missing legacy netfilter modules
+              KVER=$(uname -r)
+              if ! lsmod | grep -q "xt_conntrack"; then
+                dnf install -y kernel-modules-extra-$KVER || dnf install -y kernel-modules-extra
+                modprobe br_netfilter overlay xt_conntrack xt_comment xt_mark xt_MASQUERADE
+              fi
             fi
             sleep 3600