firewall: change default for firewall-backend to "nftables""

It seems that the nftables backend works well. Let's change the default.
This will also be backported to nm-1-32 branch, for 1.32.0 release.

This reverts commit 0609f1f31c.

NEWS

@@ -27,7 +27,9 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
   This allows to configure devices in udev for which DHCPOFFER messages are to be
   broadcast.
 * firewall: add nftables firewall backend for configuring IPv4 NAT with shared
-  mode.
+  mode. Now two backends are supported, "iptables" and "nftables". The default
+  gets detected based on whether /usr/sbin/nft or /usr/sbin/iptables is installed,
+  with nftables preferred.
 * ethtool: add support for pause settings.
 * Support "prohibit"/"blackhole"/"unreachable" type routing rules.
 * Now NetworkManager preserves by default the existing traffic control

src/core/nm-firewall-utils.c

@@ -738,9 +738,12 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared)
 static NMFirewallBackend
 _firewall_backend_detect(void)
 {
-    /* For the moment, we still default to iptables. This should
-     * change once nftables is proven to work well. */
-    return NM_FIREWALL_BACKEND_IPTABLES;
+    if (g_file_test(NFT_PATH, G_FILE_TEST_IS_EXECUTABLE))
+        return NM_FIREWALL_BACKEND_NFTABLES;
+    if (g_file_test(IPTABLES_PATH, G_FILE_TEST_IS_EXECUTABLE))
+        return NM_FIREWALL_BACKEND_IPTABLES;
+
+    return NM_FIREWALL_BACKEND_NFTABLES;
 }
 
 NMFirewallBackend