manifest: default to iptables-nft

Ship with iptables-nft by default. This requires a postprocessing script until we can fully drop iptables-legacy from the base. For more information, see: coreos/fedora-coreos-tracker#676 coreos#1324
jlebon · Feb 1, 2022 · ead13ec · ead13ec
1 parent 8d73e19
commit ead13ec
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/manifest.yaml b/manifest.yaml
@@ -42,3 +42,15 @@ postprocess:
     #!/usr/bin/env bash
     mkdir -p /usr/lib/rpm-ostree/
     mv /usr/bin/microdnf /usr/lib/rpm-ostree/
+  # Default to iptables-nft. Otherwise, legacy wins. This needs to be lowered in
+  # a shared manifest once we're ready to migrate `testing`. We can drop this
+  # once/if we remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save