[ferm] Change default iptables backend to 'legacy'

(cherry picked from commit 0ec2812) (cherry picked from commit 433c3f2) (cherry picked from commit 0fe0320)
debops · Nov 29, 2021 · 9867b7a · 9867b7a
1 parent 7797f6e
commit 9867b7a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -73,6 +73,14 @@ Continuous Integration
                change. You might need to update your Ansible inventory to select
                the correct backend.
 
+- The default backend for :command:`iptables` is changed to ``legacy`` on newer
+  OS releases, because `there's no plans`__ to support :command:`nftables`
+  backend by the :command:`ferm` project. You might want to check if the
+  firewall configuration is correctly applied after running the role against
+  already configured hosts.
+
+  .. __: https://github.com/MaxKellermann/ferm/issues/47
+
 :ref:`debops.pki` role
 ''''''''''''''''''''''
 

diff --git a/ansible/roles/ferm/defaults/main.yml b/ansible/roles/ferm/defaults/main.yml
@@ -62,7 +62,7 @@ ferm__iptables_backend_enabled: '{{ False
 #
 # Ferm does not support nftables backend, therefore the legacy variant is
 # enabled by default.
-ferm__iptables_backend_type: 'nft'
+ferm__iptables_backend_type: 'legacy'
 
                                                                    # ]]]
 # .. envvar:: ferm__base_packages [[[