From 79d9441567ffc12c61eb6abc5b98dd11f8a730a0 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 14 Jun 2021 11:13:57 +0200
Subject: [PATCH] firewall: change default for firewall-backend to "nftables""

It seems that the nftables backend works well. Let's change the default.
This will also be backported to nm-1-32 branch, for 1.32.0 release.

This reverts commit 0609f1f31c48271b583a36bddfa12093d1fdc8df.
---
 NEWS                         | 4 +++-
 src/core/nm-firewall-utils.c | 9 ++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 2d27e83588..e598373ff3 100644
--- a/NEWS
+++ b/NEWS
@@ -27,7 +27,9 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
   This allows to configure devices in udev for which DHCPOFFER messages are to be
   broadcast.
 * firewall: add nftables firewall backend for configuring IPv4 NAT with shared
-  mode.
+  mode. Now two backends are supported, "iptables" and "nftables". The default
+  gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed,
+  with nftables preferred.
 * ethtool: add support for pause settings.
 * Support "prohibit"/"blackhole"/"unreachable" type routing rules.
 * Now NetworkManager preserves by default the existing traffic control
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
index f5c02f90a5..cc342b3f22 100644
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@@ -738,9 +738,12 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared)
 static NMFirewallBackend
 _firewall_backend_detect(void)
 {
-    /* For the moment, we still default to iptables. This should
-     * change once nftables is proven to work well. */
-    return NM_FIREWALL_BACKEND_IPTABLES;
+    if (g_file_test(NFT_PATH, G_FILE_TEST_IS_EXECUTABLE))
+        return NM_FIREWALL_BACKEND_NFTABLES;
+    if (g_file_test(IPTABLES_PATH, G_FILE_TEST_IS_EXECUTABLE))
+        return NM_FIREWALL_BACKEND_IPTABLES;
+
+    return NM_FIREWALL_BACKEND_NFTABLES;
 }
 
 NMFirewallBackend