I have come across this post regarding the logic behind choosing the firewall driver when trying to debug why my firewall rules were being created in nftables instead of xtables.
I was wondering if there is a way to strictly choose a firewall driver to use even if say both nftables and xtables are empty and available to use xtables regardless.
Not currently, you can only influence the decision by the available tooling (although this is bundled with the snap so cant be controlled by the admin if using the snap package) and the rulesets that are active.
We may be able to add an environment variable to force it one way or the other, but in general don’t like messing with that too much as we’d likely end up with a bunch of folks setting it to xtables, forgetting about it and a few years later being in a lot of pain when everything else uses nft and they’re getting a mixed set of rules (which is non-deterministic as far as enforcement behavior).