Fedora CoreOS moving to iptables-nft
by Jonathan Lebon
In coming months, all new and upgrading Fedora CoreOS nodes will
migrate to the nft backend of iptables. This will be done by updating
the relevant symbolic links in `/etc/alternatives`. The legacy backend
is considered deprecated.
This change will be rolled out together with the rebase to Fedora 36:
- the `next` rebase is targeted for 2022-03-15
- the `testing` rebase is targeted for 2022-04-19
- the `stable` stream will follow `testing` as usual
If you need to stay on the legacy backend, create an empty file at
`/etc/coreos/iptables-legacy.stamp`. For existing nodes, you can
manually create the file now:
```
sudo mkdir -m 755 /etc/coreos/
sudo touch /etc/coreos/iptables-legacy.stamp
```
For new nodes that get deployed between now and when the migration
happens, you can create the `/etc/coreos/iptables-legacy.stamp` file
using Ignition to ensure they don't get migrated. After the migration,
you can bring up new nodes on the legacy backend by manually setting
the symbolic links via Ignition. Below is a Butane config that does
both of these:
```
variant: fcos
version: 1.4.0
storage:
files:
- path: /etc/coreos/iptables-legacy.stamp
mode: 0644
links:
- path: /etc/alternatives/iptables
target: /usr/sbin/iptables-legacy
overwrite: true
hard: false
- path: /etc/alternatives/iptables-restore
target: /usr/sbin/iptables-legacy-restore
overwrite: true
hard: false
- path: /etc/alternatives/iptables-save
target: /usr/sbin/iptables-legacy-save
overwrite: true
hard: false
- path: /etc/alternatives/ip6tables
target: /usr/sbin/ip6tables-legacy
overwrite: true
hard: false
- path: /etc/alternatives/ip6tables-restore
target: /usr/sbin/ip6tables-legacy-restore
overwrite: true
hard: false
- path: /etc/alternatives/ip6tables-save
target: /usr/sbin/ip6tables-legacy-save
overwrite: true
hard: false
```
This will ensure that all new nodes will use the legacy backend
whether before or after the migration. After all streams are based on
Fedora 36, we recommend removing the stamp file from your Butane
config.
Thanks,
Jonathan Lebon, for the Fedora CoreOS team
1 year, 7 months