Remove iptables references from tests, docs and WSL config

[l0rd]

This PR is a follow-up of containers/netavark#1353 and removes references of iptables from the Podman source code:

• Remove iptables enforcement on WSL*
• Update test/upgrade to use nftables: CI runs upgrade from podman v5.6.2 (was 4.8.0) to current
• Minor removals of various references to iptables in docs and tests

* This temporarily breaks rootful podman on amd64 WSL, but we have successfully tested the fix that should be released soon.

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
  commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
  the sign-off email address. See CONTRIBUTING.md
  for more information.
• Referenced issues using Fixes: #00000 in commit message (if applicable)
• Tests have been added/updated (or no tests are needed)
• Documentation has been updated (or no documentation changes are needed)
• All commits pass make validatepr (format/lint checks)
• Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

Removed support for iptables

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: l0rd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [l0rd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[Luap99]

The point of the upgrade tests is to have a relative large delta as well.

What was the first podman image that has netavark with nftables support? We should tests that one as well in addition to 5.6.

[l0rd]

nftables support has been introduced in netavark v1.10.0 and the first podman image to include it is v4.9.0.

However the upgrade test from v4.9.0 is failing (podman network disconnect fails with Error removing subnet 10.88.0.0/16 from firewalld trusted zone: org.fedoraproject.FirewallD1.Exception: UNKNOWN_SOURCE: '10.88.0.0/16' is not in any zone).

The upgrade from v5.6.2 is failing too (in this case it's the output of podman images that doesn't match, probably because of a change in images order) and upgrade test from v5.5.0 fails for the same reason.

I am setting PODMAN_UPGRADE_FROM: v5.3.1 for now as this is the first version that works locally for me. I will open a separate issue for fixing/adding the test to upgrade from v5.6.2 to current.

[Luap99]

However the upgrade test from v4.9.0 is failing (podman network disconnect fails with Error removing subnet 10.88.0.0/16 from firewalld trusted zone: org.fedoraproject.FirewallD1.Exception: UNKNOWN_SOURCE: '10.88.0.0/16' is not in any zone).

Weird, as a general rule we likely should not fail on removal if it doesn't exits, we should treat it as NOP. But yeah it is old enough that I don't think we need to test updating from that.

I am setting PODMAN_UPGRADE_FROM: v5.3.1 for now as this is the first version that works locally for me. I will open a separate issue for fixing/adding the test to upgrade from v5.6.2 to current.

SGTM

[l0rd]

I have made a change so that testing the upgrade from v5.6.2 works too. I have updated .cirrus.yml to run both v5.3.1 and v5.6.2 test cases.

[l0rd]

I have opened containers/automation_images#427 to add the new images in the local registry (tests fail otherwise).

[Luap99]

LGTM overall once the doc nit from Tom is fixed, if you rebase the CI images should pick up the new test images.

[mheon]

LGTM once the upgrade tests go green