Cross-posted with this coreos-status email.
In coming months, all new and upgrading Fedora CoreOS nodes will migrate to the nft backend of iptables. This will be done by updating the relevant symbolic links in /etc/alternatives. The legacy backend is considered deprecated.
This change will be rolled out together with the rebase to Fedora 36:
- the next rebase is targeted for 2022-03-15
- the testing rebase is targeted for 2022-04-19
- the stable stream will follow testing as usual
If you need to stay on the legacy backend, create an empty file at /etc/coreos/iptables-legacy.stamp. For existing nodes, you can manually create the file now:
sudo mkdir -m 755 /etc/coreos/
sudo touch /etc/coreos/iptables-legacy.stamp
For new nodes that get deployed between now and when the migration happens, you can create the /etc/coreos/iptables-legacy.stamp file using Ignition to ensure they don’t get migrated. After the migration, you can bring up new nodes on the legacy backend by manually setting
the symbolic links via Ignition. Below is a Butane config that does both of these:
variant: fcos
version: 1.4.0
storage:
files:
- path: /etc/coreos/iptables-legacy.stamp
mode: 0644
links:
- path: /etc/alternatives/iptables
target: /usr/sbin/iptables-legacy
overwrite: true
hard: false
- path: /etc/alternatives/iptables-restore
target: /usr/sbin/iptables-legacy-restore
overwrite: true
hard: false
- path: /etc/alternatives/iptables-save
target: /usr/sbin/iptables-legacy-save
overwrite: true
hard: false
- path: /etc/alternatives/ip6tables
target: /usr/sbin/ip6tables-legacy
overwrite: true
hard: false
- path: /etc/alternatives/ip6tables-restore
target: /usr/sbin/ip6tables-legacy-restore
overwrite: true
hard: false
- path: /etc/alternatives/ip6tables-save
target: /usr/sbin/ip6tables-legacy-save
overwrite: true
hard: false
This will ensure that all new nodes will use the legacy backend whether before or after the migration. After all streams are based on Fedora 36, we recommend removing the stamp file from your Butane config.