coreos
diff --git a/‎manifests/fedora-coreos-base.yaml
Lines changed: 22 additions & 17 deletions b/‎manifests/fedora-coreos-base.yaml
Lines changed: 22 additions & 17 deletions
diff --git a/‎tests/kola/firewall/iptables-legacy/config.bu
Lines changed: 0 additions & 28 deletions b/‎tests/kola/firewall/iptables-legacy/config.bu
Lines changed: 0 additions & 28 deletions
diff --git a/‎tests/kola/firewall/iptables-legacy/data/commonlib.sh
Lines changed: 0 additions & 1 deletion b/‎tests/kola/firewall/iptables-legacy/data/commonlib.sh
Lines changed: 0 additions & 1 deletion
diff --git a/‎tests/kola/firewall/iptables-legacy/test.sh
Lines changed: 0 additions & 20 deletions b/‎tests/kola/firewall/iptables-legacy/test.sh
Lines changed: 0 additions & 20 deletions
@@ -27,6 +27,28 @@ ostree-layers:
   - overlay/25azure-udev-rules
   - overlay/30lvmdevices
 
+conditional-include:
+  - if: releasever < 43
+    include:
+      packages:
+        # iptables-legacy was in <43 but excluded from 43+
+        # https://github.com/coreos/fedora-coreos-tracker/issues/1818
+        - iptables-legacy
+      postprocess:
+        # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
+        # remove iptables-legacy. This is needed because alternatives don't work
+        # https://github.com/coreos/fedora-coreos-tracker/issues/677
+        # https://github.com/coreos/fedora-coreos-tracker/issues/676
+        - |
+          #!/usr/bin/bash
+          set -eux -o pipefail
+          ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
+          ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
+          ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
+          ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
+          ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
+          ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
+
 # Be minimal
 recommends: false
 
@@ -71,20 +93,6 @@ postprocess:
     set -eux -o pipefail
     systemctl mask dnsmasq.service
 
-  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
-  # remove iptables-legacy. This is needed because alternatives don't work
-  # https://github.com/coreos/fedora-coreos-tracker/issues/677
-  # https://github.com/coreos/fedora-coreos-tracker/issues/676
-  - |
-    #!/usr/bin/bash
-    set -eux -o pipefail
-    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
-    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
-    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
-    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
-    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
-    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
-
   # sudo prefers its config files to be mode 440, and some security scanners
   # complain if /etc/sudoers.d files are world-readable.
   # https://bugzilla.redhat.com/show_bug.cgi?id=1981979
@@ -164,9 +172,6 @@ packages:
   - console-login-helper-messages-motdgen
   # i18n
   - kbd
-  # In F35+ need `iptables-legacy` package
-  # See https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451
-  - iptables-legacy
   # NIC firmware we've traditionally shipped but then were split out of linux-firmware in Fedora
   - qed-firmware # https://github.com/coreos/fedora-coreos-tracker/issues/1746
   # Include udev rules for NVMe backed Azure Instances