manifests: drop service for staying on iptables-legacy

This service was used for people who wanted to stay on
iptables-legacy. Now that there has been a barrier release
it is no longer needed.

Also move the iptables-nft enablement into fedora-coreos-base
and delete related tests.

manifests/fedora-coreos-base.yaml

@@ -17,11 +17,6 @@ ostree-layers:
   - overlay/14NetworkManager-plugins
   - overlay/20platform-chrony
 
-conditional-include:
-  # https://github.com/coreos/fedora-coreos-tracker/issues/676
-  - if: releasever >= 36
-    include: iptables-nft.yaml
-
 initramfs-args:
   - --no-hostonly
   # We don't support root on NFS, so we don't need it in the initramfs. It also
@@ -121,6 +116,20 @@ postprocess:
         chmod +x /usr/lib/dracut/modules.d/95nvmf/nvmf-autoconnect.sh
     fi
 
+  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+  # remove iptables-legacy. This is needed because alternatives don't work
+  # https://github.com/coreos/fedora-coreos-tracker/issues/677
+  # https://github.com/coreos/fedora-coreos-tracker/issues/676
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
+
 # Packages listed here should be specific to Fedore CoreOS (as in not yet
 # available in RHCOS or not desired in RHCOS). All other packages should go
 # into one of the sub-manifests listed at the top.

overlay.d/README.md

@@ -52,16 +52,3 @@ Add static chrony configuration for NTP servers provided on platforms
 such as `azure`, `aws`, `gcp`. The chrony config for these NTP servers
 should override other chrony configuration (e.g. DHCP-provided)
 configuration.
-
-35coreos-iptables
------------------
-
-Contains systemd service and script for remaining on iptables-nft after
-the migration to nft.
-
-Split out because (1) it will roll out to next first, and (2) it can
-more easily be deleted after the barrier release.
-
-For more details, see:
-https://github.com/coreos/fedora-coreos-tracker/issues/676
-https://github.com/coreos/fedora-coreos-config/pull/1324

tests/kola/firewall/iptables/test.sh

@@ -6,19 +6,8 @@ set -xeuo pipefail
 
 . $KOLA_EXT_DATA/commonlib.sh
 
-# rollout is tied to f36+ on FCOS
-# RHCOS is already in nft
-# once all of FCOS is on f36, we can drop this branching
-if is_rhcos || [ "$(get_fedora_ver)" -ge 36 ]; then
-    if ! iptables --version | grep nf_tables; then
-        iptables --version # output for logs
-        fatal "iptables version is not nft"
-    fi
-    ok "iptables in nft mode"
-else
-    if ! iptables --version | grep legacy; then
-        iptables --version # output for logs
-        fatal "iptables version is not legacy"
-    fi
-    ok "iptables in legacy mode"
+if ! iptables --version | grep nf_tables; then
+    iptables --version # output for logs
+    fatal "iptables version is not nft"
 fi
+ok "iptables in nft mode"