neutron/roles/nftables/tasks/main.yaml

- name: Ensure nftables is installed
  package:
    name: 'nftables'
    state: latest
  become: yes

- name: Switch to nftables binaries
  shell:
    cmd: |
      /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
      /usr/bin/update-alternatives --set iptables-save /usr/sbin/iptables-nft-save
      /usr/bin/update-alternatives --set iptables-restore /usr/sbin/iptables-nft-restore
      /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
      /usr/bin/update-alternatives --set ip6tables-save /usr/sbin/ip6tables-nft-save
      /usr/bin/update-alternatives --set ip6tables-restore /usr/sbin/ip6tables-nft-restore
      /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
      /usr/bin/update-alternatives --set ebtables-save /usr/sbin/ebtables-nft-save
      /usr/bin/update-alternatives --set ebtables-restore /usr/sbin/ebtables-nft-restore
      /usr/bin/update-alternatives --set arptables /usr/sbin/arptables-nft      
    executable: /bin/bash
  become: yes

- name: Restart nftables service, that will replace iptables(4,6), ebtables and arptables
  ansible.builtin.systemd:
    state: restarted
    name: nftables.service
  become: yes

- name: Check ipv4 rules, stored by iptables-persistent
  stat:
    path: '/etc/iptables/rules.v4'
  register: ipv4_rules_file

- name: Check ipv6 rules, stored by iptables-persistent
  stat:
    path: '/etc/iptables/rules.v6'
  register: ipv6_rules_file

- name: Restore saved IPv4 iptables rules, stored by iptables-persistent
  shell:
    cmd: |
      iptables-restore '{{ ipv4_rules_file.stat.path }}'      
  become: yes
  when: ipv4_rules_file.stat.exists

- name: Restore saved IPv6 iptables rules, stored by iptables-persistent
  shell:
    cmd: |
      ip6tables-restore '{{ ipv6_rules_file.stat.path }}'      
  become: yes
  when: ipv6_rules_file.stat.exists