manifest: default to iptables-nft

Ship with iptables-nft by default. This requires a postprocessing script until we can fully drop iptables-legacy from the base. For more information, see: coreos/fedora-coreos-tracker#676 coreos#1324
jlebon · Feb 21, 2022 · 90473f8 · 90473f8
1 parent 3dbb2de
commit 90473f8
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/manifest.yaml b/manifest.yaml
@@ -28,3 +28,15 @@ postprocess:
     mkdir -p /etc/fedora-coreos-pinger/config.d /etc/zincati/config.d
     echo -e '# https://github.com/coreos/fedora-coreos-tracker/issues/163\nreporting.enabled = false' > /etc/fedora-coreos-pinger/config.d/90-disable-on-non-production-stream.toml
     echo -e '# https://github.com/coreos/fedora-coreos-tracker/issues/163\nupdates.enabled = false' > /etc/zincati/config.d/90-disable-on-non-production-stream.toml
+  # Default to iptables-nft. Otherwise, legacy wins. This needs to be lowered in
+  # a shared manifest once we're ready to migrate `testing`. We can drop this
+  # once/if we remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save