From d5363e6573e12bf98ac239d3afef13b66f69b8e8 Mon Sep 17 00:00:00 2001
From: Lars Fenneberg <lf@elemental.net>
Date: Fri, 2 Sep 2022 18:50:17 +0200
Subject: [PATCH] Force use of iptables-legacy

kube-proxy and Calico are still using the legacy implementation, so we want our custom rules
to go into the same tables.

See:
  * https://docs.fedoraproject.org/en-US/fedora-coreos/major-changes/#_moving_to_iptables_nft
  * https://github.com/coreos/fedora-coreos-tracker/issues/676
  * https://github.com/coreos/fedora-coreos-config/pull/1324
---
 .../kubernetes/butane/controller.yaml         | 27 +++++++++++++++++++
 .../kubernetes/butane/worker.yaml             | 27 +++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml b/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml
index f448240d6..6b9c3eacd 100644
--- a/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml
+++ b/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml
@@ -375,6 +375,33 @@ storage:
           
           [Install]
           WantedBy=multi-user.target
+    - path: /etc/coreos/iptables-legacy.stamp
+      mode: 0644
+  links:
+    - path: /etc/alternatives/iptables
+      target: /usr/sbin/iptables-legacy
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-restore
+      target: /usr/sbin/iptables-legacy-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-save
+      target: /usr/sbin/iptables-legacy-save
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables
+      target: /usr/sbin/ip6tables-legacy
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-restore
+      target: /usr/sbin/ip6tables-legacy-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-save
+      target: /usr/sbin/ip6tables-legacy-save
+      overwrite: true
+      hard: false
 passwd:
   users:
     - name: core
diff --git a/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml b/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml
index 547fc74f3..673288ef8 100644
--- a/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml
+++ b/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml
@@ -257,6 +257,33 @@ storage:
           
           [Install]
           WantedBy=multi-user.target
+    - path: /etc/coreos/iptables-legacy.stamp
+      mode: 0644
+  links:
+    - path: /etc/alternatives/iptables
+      target: /usr/sbin/iptables-legacy
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-restore
+      target: /usr/sbin/iptables-legacy-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-save
+      target: /usr/sbin/iptables-legacy-save
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables
+      target: /usr/sbin/ip6tables-legacy
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-restore
+      target: /usr/sbin/ip6tables-legacy-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-save
+      target: /usr/sbin/ip6tables-legacy-save
+      overwrite: true
+      hard: false
 passwd:
   users:
     - name: core