manifest: default to iptables-nft

Ship with iptables-nft by default. This requires a postprocessing script until we can fully drop iptables-legacy from the base. Closes: coreos/fedora-coreos-tracker#676
coreos · Dec 6, 2021 · 0396efe · 0396efe
1 parent 187afc9
commit 0396efe
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml
@@ -84,6 +84,17 @@ postprocess:
     if [ -z "${DEFAULT_HOSTNAME:-}" ]; then
       echo 'DEFAULT_HOSTNAME=localhost' >> /usr/lib/os-release
     fi
+  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+  # remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save
 
 # Packages listed here should be specific to Fedore CoreOS (as in not yet
 # available in RHCOS or not desired in RHCOS). All other packages should go