From 2a2f75daf149eb033fab1e91c2b1dab943122805 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sat, 9 Aug 2025 09:14:09 -0700
Subject: [PATCH] base / iptables: don't remove iptables for now

This was a good change in theory, but in practice it's not.
The 'iptables-legacy' package provides 'iptables' so it gets removed,
but there's some things we still install that depend on it, so it just
gets pulled in later as a dependency.

Examples:

build* machines install oz and ImageFactory that need it
(but we can possibly drop those now)

virthosts have some libvirt subpackages that require it.

I'm not sure we can readd this in a targeted way or should just drop it
for now entirely.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/tasks/main.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index f65e12a2ef..f720ebea3e 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -168,12 +168,12 @@
   - base
   when: nftables
 
-- name: Ensure iptables is not installed
-  ansible.builtin.package: state=absent name=iptables
-  tags:
-  - packages
-  - base
-  when: nftables
+#- name: Ensure iptables is not installed
+#  ansible.builtin.package: state=absent name=iptables
+#  tags:
+#  - packages
+#  - base
+#  when: nftables
 
 - name: Ensure ipset is installed
   ansible.builtin.package: state=present name=ipset