Switch default firewall engine

Switching the FirewallEngine to nftables instead of puppet has some
consequences regarding security: the new tripleo_nftables acts on the
chain policy instead of relying on a final drop rule.

`iptables' cli cannot see nftables content we inject, since we're
using the "inet" family. Therefore, please use the `nft' CLI from
now on. Doc has been updated accordingly.

Depends-On: https://review.opendev.org/c/openstack/tripleo-puppet-elements/+/853224
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/853252
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/853934
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/856487

Depends-On: https://review.opendev.org/c/openstack/tripleo-quickstart-extras/+/857096
Depends-On: https://review.opendev.org/c/openstack/tripleo-quickstart/+/857128

Change-Id: I8124da3e53afbb410dfe6fe020ab5eead72a349a

deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml

@@ -34,7 +34,7 @@ parameters:
     tags:
       - role_specific
   FirewallEngine:
-    default: 'iptables'
+    default: 'nftables'
     description: Set the actual firewall engine. Can be "iptables" or "nftables"
     type: string
     constraints:

releasenotes/notes/nftables-13caf0261a170667.yaml

@@ -0,0 +1,11 @@
+---
+security:
+  - |
+    Switching the FirewallEngine to nftables instead of puppet has some
+    consequences regarding security: the new tripleo_nftables acts on the
+    chain policy instead of relying on a final drop rule.
+other:
+  - |
+    iptables cli cannot see nftables content we inject, since we're
+    using the "inet" family. Therefore, please use the "nft" CLI from
+    now on. Doc has been updated accordingly.