diff --git a/NEWS b/NEWS
index 2d27e83588..e598373ff3 100644
--- a/NEWS
+++ b/NEWS
@@ -27,7 +27,9 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
   This allows to configure devices in udev for which DHCPOFFER messages are to be
   broadcast.
 * firewall: add nftables firewall backend for configuring IPv4 NAT with shared
-  mode.
+  mode. Now two backends are supported, "iptables" and "nftables". The default
+  gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed,
+  with nftables preferred.
 * ethtool: add support for pause settings.
 * Support "prohibit"/"blackhole"/"unreachable" type routing rules.
 * Now NetworkManager preserves by default the existing traffic control
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
index f5c02f90a5..cc342b3f22 100644
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@@ -738,9 +738,12 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared)
 static NMFirewallBackend
 _firewall_backend_detect(void)
 {
-    /* For the moment, we still default to iptables. This should
-     * change once nftables is proven to work well. */
-    return NM_FIREWALL_BACKEND_IPTABLES;
+    if (g_file_test(NFT_PATH, G_FILE_TEST_IS_EXECUTABLE))
+        return NM_FIREWALL_BACKEND_NFTABLES;
+    if (g_file_test(IPTABLES_PATH, G_FILE_TEST_IS_EXECUTABLE))
+        return NM_FIREWALL_BACKEND_IPTABLES;
+
+    return NM_FIREWALL_BACKEND_NFTABLES;
 }
 
 NMFirewallBackend