From 0396efe014838b32c7ec530c5933c4fd74d3467e Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Wed, 3 Nov 2021 17:52:48 -0400
Subject: [PATCH] manifest: default to iptables-nft

Ship with iptables-nft by default. This requires a postprocessing script
until we can fully drop iptables-legacy from the base.

Closes: https://github.com/coreos/fedora-coreos-tracker/issues/676
---
 manifests/fedora-coreos-base.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml
index a6049725ec..bc87929da0 100644
--- a/manifests/fedora-coreos-base.yaml
+++ b/manifests/fedora-coreos-base.yaml
@@ -84,6 +84,17 @@ postprocess:
     if [ -z "${DEFAULT_HOSTNAME:-}" ]; then
       echo 'DEFAULT_HOSTNAME=localhost' >> /usr/lib/os-release
     fi
+  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+  # remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save
 
 # Packages listed here should be specific to Fedore CoreOS (as in not yet
 # available in RHCOS or not desired in RHCOS). All other packages should go