From bec34905c20480bdc8aaf01431998daed606a3fe Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Fri, 10 Nov 2023 15:17:56 -0800
Subject: [PATCH] Only use iptables alternative on older iptables versions

Signed-off-by: Derek Nola <derek.nola@suse.com>
---
 roles/raspberrypi/tasks/main.yml            |  8 ----
 roles/raspberrypi/tasks/prereq/Debian.yml   | 47 +++++++++++++--------
 roles/raspberrypi/tasks/prereq/Raspbian.yml | 45 ++++++++++++++------
 3 files changed, 61 insertions(+), 39 deletions(-)

diff --git a/roles/raspberrypi/tasks/main.yml b/roles/raspberrypi/tasks/main.yml
index 0681f92..c47ab7c 100644
--- a/roles/raspberrypi/tasks/main.yml
+++ b/roles/raspberrypi/tasks/main.yml
@@ -41,17 +41,9 @@
     - raspberry_pi|default(false)
     - ansible_facts.os_family is match("Archlinux")
 
-- name: Set detected_distribution_major_version
-  ansible.builtin.set_fact:
-    detected_distribution_major_version: "{{ ansible_facts.lsb.major_release }}"
-  when: >
-    ( detected_distribution | default("") == "Raspbian" or
-      detected_distribution | default("") == "Debian" )
-
 - name: Execute OS related tasks on the Raspberry Pi
   ansible.builtin.include_tasks: "{{ item }}"
   with_first_found:
-    - "prereq/{{ detected_distribution }}-{{ detected_distribution_major_version }}.yml"
     - "prereq/{{ detected_distribution }}.yml"
     - "prereq/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
     - "prereq/{{ ansible_distribution }}.yml"
diff --git a/roles/raspberrypi/tasks/prereq/Debian.yml b/roles/raspberrypi/tasks/prereq/Debian.yml
index a18ad7b..29535cf 100644
--- a/roles/raspberrypi/tasks/prereq/Debian.yml
+++ b/roles/raspberrypi/tasks/prereq/Debian.yml
@@ -12,23 +12,36 @@
     backrefs: true
   notify: Reboot Pi
 
-- name: Install iptables
-  ansible.builtin.apt:
-    name: iptables
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
 
-- name: Flush iptables before changing to iptables-legacy
-  ansible.builtin.iptables:
-    flush: true
-  changed_when: false   # iptables flush always returns changed
+# If no iptables is found, K3s will use the iptables it ships with.
+# However, if a iptables is found, K3s will use that instead. Iptables
+# versions 1.8.7 and older have problems with K3s, so we force the use of
+# iptables-legacy in that case.
+- name: If old iptables found, change to iptables-legacy
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+  block:
+    - name: Iptables version on node
+      ansible.builtin.debug:
+        msg: "iptables version {{ ansible_facts.packages['iptables'][0]['version'] }} found"
 
-- name: Changing to iptables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/iptables-legacy
-    name: iptables
-  register: ip4_legacy
+    - name: Flush iptables before changing to iptables-legacy
+      ansible.builtin.iptables:
+        flush: true
+      changed_when: false   # iptables flush always returns changed
 
-- name: Changing to ip6tables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/ip6tables-legacy
-    name: ip6tables
-  register: ip6_legacy
+    - name: Changing to iptables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/iptables-legacy
+        name: iptables
+      register: ip4_legacy
+
+    - name: Changing to ip6tables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/ip6tables-legacy
+        name: ip6tables
+      register: ip6_legacy
diff --git a/roles/raspberrypi/tasks/prereq/Raspbian.yml b/roles/raspberrypi/tasks/prereq/Raspbian.yml
index f97eca5..a0991d4 100644
--- a/roles/raspberrypi/tasks/prereq/Raspbian.yml
+++ b/roles/raspberrypi/tasks/prereq/Raspbian.yml
@@ -7,19 +7,36 @@
     backrefs: true
   notify: Reboot Pi
 
-- name: Flush iptables before changing to iptables-legacy
-  ansible.builtin.iptables:
-    flush: true
-  changed_when: false   # iptables flush always returns changed
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
 
-- name: Changing to iptables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/iptables-legacy
-    name: iptables
-  register: ip4_legacy
+# If no iptables is found, K3s will use the iptables it ships with.
+# However, if a iptables is found, K3s will use that instead. Iptables
+# versions 1.8.7 and older have problems with K3s, so we force the use of
+# iptables-legacy in that case.
+- name: If old iptables found, change to iptables-legacy
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+  block:
+    - name: Iptables version on node
+      ansible.builtin.debug:
+        msg: "iptables version {{ ansible_facts.packages['iptables'][0]['version'] }} found"
 
-- name: Changing to ip6tables-legacy
-  community.general.alternatives:
-    path: /usr/sbin/ip6tables-legacy
-    name: ip6tables
-  register: ip6_legacy
+    - name: Flush iptables before changing to iptables-legacy
+      ansible.builtin.iptables:
+        flush: true
+      changed_when: false   # iptables flush always returns changed
+
+    - name: Changing to iptables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/iptables-legacy
+        name: iptables
+      register: ip4_legacy
+
+    - name: Changing to ip6tables-legacy
+      community.general.alternatives:
+        path: /usr/sbin/ip6tables-legacy
+        name: ip6tables
+      register: ip6_legacy