Description of problem:

-> $ firewall-cmd --info-service=kube-control-plane-secure 
kube-control-plane-secure
  ports: 
  protocols: 
  source-ports: 
  modules: 
  destination: 
  includes: etcd-client etcd-server kube-apiserver kube-controller-manager-secure kube-scheduler-secure
  helpers:

-> $ firewall-cmd --info-service=kube-apiserver 
kube-apiserver
  ports: 6443/tcp
  protocols: 
...

-> $ _FIRE=kube-control-plane-secure; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\"

-> $ nmap 10.3.1.61 -p 6443 # result -> filtered

-> $ _FIRE=kube-apiserver; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\"

-> $ nmap 10.3.1.61 -p 6443 # result -> open

Does that make sense?
Also, if such service - eg. kube-control-plane-secure - is allowed "normally", in 'service' then what happens is what I'd expect - included services get allowed too.

Version-Release number of selected component (if applicable):

firewalld-filesystem-1.2.1-1.el9.noarch
firewalld-1.2.1-1.el9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: