From ead13ecd691c3f008b1364962e21a903cbd54c6f Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 1 Feb 2022 15:28:49 -0500
Subject: [PATCH] manifest: default to iptables-nft

Ship with iptables-nft by default. This requires a postprocessing script
until we can fully drop iptables-legacy from the base.

For more information, see:
https://github.com/coreos/fedora-coreos-tracker/issues/676
https://github.com/coreos/fedora-coreos-config/pull/1324
---
 manifest.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/manifest.yaml b/manifest.yaml
index 5b9b44b3fa..b021aeffcc 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -42,3 +42,15 @@ postprocess:
     #!/usr/bin/env bash
     mkdir -p /usr/lib/rpm-ostree/
     mv /usr/bin/microdnf /usr/lib/rpm-ostree/
+  # Default to iptables-nft. Otherwise, legacy wins. This needs to be lowered in
+  # a shared manifest once we're ready to migrate `testing`. We can drop this
+  # once/if we remove iptables-legacy.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save