From 315898fafb327017e9630d00967ca6d7c69a563c Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sat, 16 Aug 2025 13:19:59 -0400
Subject: [PATCH] Fix Ubuntu 22.04 compatibility issues (#14824)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit addresses two critical issues preventing Algo from working
on Ubuntu 22.04:

1. Load af_key kernel module for StrongSwan
   - Ubuntu 22.04 minimal installs don't load af_key by default
   - Without this module, StrongSwan fails with namespace errors
   - Added modprobe task to ensure module is loaded persistently

2. Force iptables-legacy mode on Ubuntu 22.04+
   - Ubuntu 22.04 uses iptables-nft backend by default
   - This causes firewall rules to be reordered incorrectly
   - VPN traffic gets blocked by misplaced DROP rules
   - Switching to iptables-legacy ensures correct rule ordering

These changes restore full VPN functionality (both WireGuard and IPsec)
on Ubuntu 22.04 installations.

Closes #14820

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>
---
 roles/common/tasks/ubuntu.yml     | 26 ++++++++++++++++++++++++++
 roles/strongswan/tasks/ubuntu.yml |  7 +++++++
 2 files changed, 33 insertions(+)

diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index 0d7e2d2d..b5a919ac 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -161,5 +161,31 @@
   include_tasks: aip/main.yml
   when: alternative_ingress_ip
 
+- name: Ubuntu 22.04+ | Use iptables-legacy for compatibility
+  block:
+    - name: Install iptables packages
+      apt:
+        name:
+          - iptables
+          - iptables-persistent
+        state: present
+        update_cache: true
+
+    - name: Configure iptables-legacy as default
+      alternatives:
+        name: "{{ item }}"
+        path: "/usr/sbin/{{ item }}-legacy"
+      with_items:
+        - iptables
+        - ip6tables
+        - iptables-save
+        - iptables-restore
+        - ip6tables-save
+        - ip6tables-restore
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_version is version('22.04', '>=')
+  tags: iptables
+
 - include_tasks: iptables.yml
   tags: iptables
diff --git a/roles/strongswan/tasks/ubuntu.yml b/roles/strongswan/tasks/ubuntu.yml
index f98fcf4c..b17b3a0b 100644
--- a/roles/strongswan/tasks/ubuntu.yml
+++ b/roles/strongswan/tasks/ubuntu.yml
@@ -2,6 +2,13 @@
 - name: Set OS specific facts
   set_fact:
     strongswan_additional_plugins: []
+
+- name: Ubuntu | Ensure af_key kernel module is loaded
+  modprobe:
+    name: af_key
+    state: present
+    persistent: present
+
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan