diff --git a/kola-denylist.yaml b/kola-denylist.yaml index 157e3a2fcb..1cf7cdd650 100644 --- a/kola-denylist.yaml +++ b/kola-denylist.yaml @@ -53,12 +53,6 @@ streams: - rawhide - branched -- pattern: ext.config.firewall.iptables - tracker: https://github.com/coreos/fedora-coreos-tracker/issues/676 - snooze: 2022-03-07 - streams: - - rawhide - - branched - pattern: coreos.boot-mirror.luks/detach-primary tracker: https://github.com/coreos/coreos-assembler/issues/2725 arches: diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml index f7113ccd21..d0775ec5b0 100644 --- a/manifests/fedora-coreos-base.yaml +++ b/manifests/fedora-coreos-base.yaml @@ -17,6 +17,11 @@ ostree-layers: - overlay/14NetworkManager-plugins - overlay/20platform-chrony +conditional-include: + # https://github.com/coreos/fedora-coreos-tracker/issues/676 + - if: releasever >= 36 + include: iptables-nft.yaml + initramfs-args: - --no-hostonly # We don't support root on NFS, so we don't need it in the initramfs. It also diff --git a/manifests/iptables-nft.yaml b/manifests/iptables-nft.yaml new file mode 100644 index 0000000000..ff6e15b850 --- /dev/null +++ b/manifests/iptables-nft.yaml @@ -0,0 +1,17 @@ +# Scripts for opting into staying on iptables-legacy after migration. Remove +# after the next barrier release. +ostree-layers: + - overlay/35coreos-iptables + +# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we +# remove iptables-legacy. +postprocess: +- | + #!/usr/bin/env bash + set -xeuo pipefail + ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables + ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore + ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save + ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables + ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore + ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save