Skip to content

Commit

Permalink
manifests: add iptables-nft.yaml for f36+
Browse files Browse the repository at this point in the history
Add a new conditional include which migrates streams on Fedora 36 and
higher to iptables-nft. This is magnitudes simpler than the current
alternative rollout procedure detailed in:

coreos/fedora-coreos-tracker#676
  • Loading branch information
jlebon committed Mar 2, 2022
1 parent 84dea8c commit 844b92c
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
5 changes: 5 additions & 0 deletions manifests/fedora-coreos-base.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ ostree-layers:
- overlay/14NetworkManager-plugins
- overlay/20platform-chrony

conditional-include:
# https://github.com/coreos/fedora-coreos-tracker/issues/676
- if: releasever >= 36
include: iptables-nft.yaml

initramfs-args:
- --no-hostonly
# We don't support root on NFS, so we don't need it in the initramfs. It also
Expand Down
17 changes: 17 additions & 0 deletions manifests/iptables-nft.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Scripts for opting into staying on iptables-legacy after migration. Remove
# after the next barrier release.
ostree-layers:
- overlay/35coreos-iptables

# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
# remove iptables-legacy.
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save

0 comments on commit 844b92c

Please sign in to comment.