From 54be02f4677c0f9540f4386f1bdaf8fc55ee2183 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 22 Feb 2022 21:31:37 -0500
Subject: [PATCH] manifests: add iptables-nft.yaml for f36+

Add a new conditional include which migrates streams on Fedora 36 and
higher to iptables-nft. This is magnitudes simpler than the current
alternative rollout procedure detailed in:

https://github.com/coreos/fedora-coreos-tracker/issues/676
---
 kola-denylist.yaml                |  6 ------
 manifests/fedora-coreos-base.yaml |  5 +++++
 manifests/iptables-nft.yaml       | 17 +++++++++++++++++
 3 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 manifests/iptables-nft.yaml

diff --git a/kola-denylist.yaml b/kola-denylist.yaml
index 157e3a2fcb..1cf7cdd650 100644
--- a/kola-denylist.yaml
+++ b/kola-denylist.yaml
@@ -53,12 +53,6 @@
   streams:
     - rawhide
     - branched
-- pattern: ext.config.firewall.iptables
-  tracker: https://github.com/coreos/fedora-coreos-tracker/issues/676
-  snooze: 2022-03-07
-  streams:
-    - rawhide
-    - branched
 - pattern: coreos.boot-mirror.luks/detach-primary
   tracker: https://github.com/coreos/coreos-assembler/issues/2725
   arches:
diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml
index f7113ccd21..d0775ec5b0 100644
--- a/manifests/fedora-coreos-base.yaml
+++ b/manifests/fedora-coreos-base.yaml
@@ -17,6 +17,11 @@ ostree-layers:
   - overlay/14NetworkManager-plugins
   - overlay/20platform-chrony
 
+conditional-include:
+  # https://github.com/coreos/fedora-coreos-tracker/issues/676
+  - if: releasever >= 36
+    include: iptables-nft.yaml
+
 initramfs-args:
   - --no-hostonly
   # We don't support root on NFS, so we don't need it in the initramfs. It also
diff --git a/manifests/iptables-nft.yaml b/manifests/iptables-nft.yaml
new file mode 100644
index 0000000000..ff6e15b850
--- /dev/null
+++ b/manifests/iptables-nft.yaml
@@ -0,0 +1,17 @@
+# Scripts for opting into staying on iptables-legacy after migration. Remove
+# after the next barrier release.
+ostree-layers:
+  - overlay/35coreos-iptables
+
+# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+# remove iptables-legacy.
+postprocess:
+- |
+  #!/usr/bin/env bash
+  set -xeuo pipefail
+  ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+  ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+  ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+  ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+  ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+  ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save