Only use iptables alternative on older iptables versions

Signed-off-by: Derek Nola <derek.nola@suse.com>

roles/raspberrypi/tasks/main.yml

@@ -41,17 +41,9 @@
     - raspberry_pi|default(false)
     - ansible_facts.os_family is match("Archlinux")
 
-- name: Set detected_distribution_major_version
-  ansible.builtin.set_fact:
-    detected_distribution_major_version: "{{ ansible_facts.lsb.major_release }}"
-  when: >
-    ( detected_distribution | default("") == "Raspbian" or
-      detected_distribution | default("") == "Debian" )
-
 - name: Execute OS related tasks on the Raspberry Pi
   ansible.builtin.include_tasks: "{{ item }}"
   with_first_found:
-    - "prereq/{{ detected_distribution }}-{{ detected_distribution_major_version }}.yml"
     - "prereq/{{ detected_distribution }}.yml"
     - "prereq/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
     - "prereq/{{ ansible_distribution }}.yml"

roles/raspberrypi/tasks/prereq/Debian.yml

@@ -12,22 +12,35 @@
     backrefs: true
   notify: Reboot Pi
 
-- name: Install iptables
+- name: Gather the package facts
-  ansible.builtin.apt:
+  ansible.builtin.package_facts:
-    name: iptables
+    manager: auto
 
-- name: Flush iptables before changing to iptables-legacy
+# If no iptables is found, K3s will use the iptables it ships with.
+# However, if a iptables is found, K3s will use that instead. Iptables
+# versions 1.8.7 and older have problems with K3s, so we force the use of
+# iptables-legacy in that case.
+- name: If old iptables found, change to iptables-legacy
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+  block:
+    - name: Iptables version on node
+      ansible.builtin.debug:
+        msg: "iptables version {{ ansible_facts.packages['iptables'][0]['version'] }} found"
+
+    - name: Flush iptables before changing to iptables-legacy
       ansible.builtin.iptables:
         flush: true
       changed_when: false   # iptables flush always returns changed
 
-- name: Changing to iptables-legacy
+    - name: Changing to iptables-legacy
       community.general.alternatives:
         path: /usr/sbin/iptables-legacy
         name: iptables
       register: ip4_legacy
 
-- name: Changing to ip6tables-legacy
+    - name: Changing to ip6tables-legacy
       community.general.alternatives:
         path: /usr/sbin/ip6tables-legacy
         name: ip6tables

roles/raspberrypi/tasks/prereq/Raspbian.yml

@@ -7,18 +7,35 @@
     backrefs: true
   notify: Reboot Pi
 
-- name: Flush iptables before changing to iptables-legacy
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+# If no iptables is found, K3s will use the iptables it ships with.
+# However, if a iptables is found, K3s will use that instead. Iptables
+# versions 1.8.7 and older have problems with K3s, so we force the use of
+# iptables-legacy in that case.
+- name: If old iptables found, change to iptables-legacy
+  when:
+    - ansible_facts.packages['iptables'] is defined
+    - ansible_facts.packages['iptables'][0]['version'] is version('1.8.8', '<')
+  block:
+    - name: Iptables version on node
+      ansible.builtin.debug:
+        msg: "iptables version {{ ansible_facts.packages['iptables'][0]['version'] }} found"
+
+    - name: Flush iptables before changing to iptables-legacy
       ansible.builtin.iptables:
         flush: true
       changed_when: false   # iptables flush always returns changed
 
-- name: Changing to iptables-legacy
+    - name: Changing to iptables-legacy
       community.general.alternatives:
         path: /usr/sbin/iptables-legacy
         name: iptables
       register: ip4_legacy
 
-- name: Changing to ip6tables-legacy
+    - name: Changing to ip6tables-legacy
       community.general.alternatives:
         path: /usr/sbin/ip6tables-legacy
         name: ip6tables