wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-20 03:33:14 +02:00
Code Issues Projects Releases Wiki Activity

Fix Ubuntu 22.04 compatibility issues (#14824)

Browse source 
This commit addresses two critical issues preventing Algo from working
on Ubuntu 22.04:

1. Load af_key kernel module for StrongSwan
   - Ubuntu 22.04 minimal installs don't load af_key by default
   - Without this module, StrongSwan fails with namespace errors
   - Added modprobe task to ensure module is loaded persistently

2. Force iptables-legacy mode on Ubuntu 22.04+
   - Ubuntu 22.04 uses iptables-nft backend by default
   - This causes firewall rules to be reordered incorrectly
   - VPN traffic gets blocked by misplaced DROP rules
   - Switching to iptables-legacy ensures correct rule ordering

These changes restore full VPN functionality (both WireGuard and IPsec)
on Ubuntu 22.04 installations.

Closes #14820

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Dan Guido 2025-08-16 13:19:59 -04:00 committed by GitHub
parent b821080eba
commit 315898fafb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 33 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
roles/common/tasks/ubuntu.yml
View file

@ -161,5 +161,31 @@
include_tasks: aip/main.yml include_tasks: aip/main.yml
when: alternative_ingress_ip when: alternative_ingress_ip
- name: Ubuntu 22.04+ | Use iptables-legacy for compatibility
block:
- name: Install iptables packages
apt:
name:
- iptables
- iptables-persistent
state: present
update_cache: true
- name: Configure iptables-legacy as default
alternatives:
name: "{{ item }}"
path: "/usr/sbin/{{ item }}-legacy"
with_items:
- iptables
- ip6tables
- iptables-save
- iptables-restore
- ip6tables-save
- ip6tables-restore
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_version is version('22.04', '>=')
tags: iptables
- include_tasks: iptables.yml - include_tasks: iptables.yml
tags: iptables tags: iptables

7
roles/strongswan/tasks/ubuntu.yml
View file

@ -2,6 +2,13 @@
- name: Set OS specific facts - name: Set OS specific facts
set_fact: set_fact:
strongswan_additional_plugins: [] strongswan_additional_plugins: []
- name: Ubuntu | Ensure af_key kernel module is loaded
modprobe:
name: af_key
state: present
persistent: present
- name: Ubuntu | Install strongSwan (individual) - name: Ubuntu | Install strongSwan (individual)
apt: apt:
name: strongswan name: strongswan