Relevant BZs: https://bugzilla.redhat.com/show_bug.cgi?id=2023436 and https://bugzilla.redhat.com/show_bug.cgi?id=2071978

When Netavark was created, we largely duplicated CNI's design decisions, including their choice of firewall backend: IPtables. IPTables, however, has been replaced by nftables (including in RHEL, since RHEL 8), and we are only able to continue using it via a compatibility layer in the iptables tools. This is not a desirable situation for customers; see the BZs above. Nftables also offers a number of advantages over iptables in flexibility (its rules are more powerful, and much more easy to maintain due to their linked-list structure) and performance (it offers a proper API for creating firewall rules, avoiding expensive CLI executions and parsing required with the iptables driver).

This card will cover the implementation of nftables as a top-level firewall backend for Netavark. With it, Podman and Buildah will be able to configure the full system firewall stack even on systems without an iptables binary installed. Very low to no code reuse with the iptables driver is expected (as we can take advantage of the nftables API instead) but the fundamental structure of the iptables rules can be converted to nftables, allowing us to use the existing firewall code as a base. Testing is expected to be a difficulty, as we'll need to get nftables-capable (perhaps nftables-only?) VMs prepared. Another potential difficulty is upgrades - if Netavark gains nftables capability after an upgrade, it needs to know existing containers still use iptables so it can successfully clean up after them.