We can load the iptables compat everytime

While nftables doesn't have any rule de-duplication capabilities, it
doesn't re-create existing chains.

If rules already exist in the "iptables compat layout", reloading the
chains won't drop anything.

Before this patch, if an operator fluches the nftables content (`nft
flush ruleset'), there was a need to manually remove
/etc/nftables/iptables.nft, so that tripleo_nftables could recreate
it, detect its changed state, and load it in nftables.

With this patch, if an operator runs `nft flush ruleset', re-running
the deploy will just re-inject the needed content without any issue.

It also takes care of a misleading comment and task name that were left
untouched after a strategy change. It should therefore be clearer for
future maintenance.

Change-Id: I3d03d7abfd009b724856e6b621867e48e5fafee7

tripleo_ansible/roles/tripleo_nftables/tasks/main.yml

@@ -29,15 +29,12 @@
 - name: IPtables compatibility layout
   become: true
   block:
-    - name: Push initial, empty ruleset
-      register: init_nftables
+    - name: Push empty ruleset
       copy:
         dest: /etc/nftables/iptables.nft
         src: iptables.nft
 
-    - name: Load empty ruleset if needed
-      when:
-        - init_nftables is changed
+    - name: Load empty ruleset
       ansible.builtin.command: nft -f /etc/nftables/iptables.nft
 
 # Get current nft rules in JSON format, with our iptables compat content.
@@ -123,11 +120,9 @@
   become: true
   ansible.builtin.command: nft -f /etc/nftables/tripleo-chains.nft
 
-# Here, we make different call in order to avoid jumps duplication.
-# In both cases, we flush the custom chains. Doing things like that ensures
-# we run all, from the flush to the rule creation, in a single transaction.
+# Load all the ruleset in a single transaction.
 # This prevents accidental lock-outs.
-- name: Reload custom nftables ruleset WITH jumps
+- name: Reload custom nftables ruleset files
   become: true
   ansible.builtin.shell: >-
     cat /etc/nftables/tripleo-flushes.nft