[2611209754] Upstream Reporter: Timothée Ravier
Upstream issue status: Open
Upstream description:

1. 1. 1. Describe the enhancement

Since https://github.com/coreos/fedora-coreos-tracker/issues/676 (in stable `36.20220505.3.2`), we've moved to the nft backend for iptables by default, but as far as I remember / could figure out, we did not update existing systems to it.

We now have proper support for alternatives on ostree based systems (https://github.com/fedora-sysv/chkconfig/pull/135 & https://github.com/coreos/fedora-coreos-tracker/issues/677) so we can use that to migrate users at boot time.

Then we should remove the legacy package.

Unfortunately we can not just drop our manual workaround to migrate systems to the nft backend as they have the same priority set in their alternatives config:

• https://src.fedoraproject.org/rpms/iptables/blob/rawhide/f/iptables.spec#_278
• https://src.fedoraproject.org/rpms/iptables/blob/rawhide/f/iptables.spec#_330

So we'll have to run a script via a systemd unit to do it:
```
$ sudo alternatives --set iptables /usr/sbin/iptables-nft
```

As this could potentially be a breaking change, we might want to do it only starting with Fedora 42.

1. 1. 1. System details

N/A

1. 1. 1. Additional information

See:

• Original Change Request in Fedora: https://fedoraproject.org/wiki/Changes/iptables-nft-default
• Issue tracking the move to nft as default in FCOS: https://github.com/coreos/fedora-coreos-tracker/issues/676
• Original issue with alternatives not working: https://github.com/coreos/fedora-coreos-tracker/issues/677