tier-1: drop iptables alternatives hack

We only ship iptables-nft, so there's no need to explicitly
override the symlinks anymore. To enforce this remains the case, add
`iptables-legacy` to the exclusion list.

tier-1/manifest.yaml

@@ -67,19 +67,6 @@ postprocess:
     systemctl preset-all
     rm -rf /etc/systemd/user/*
     systemctl --user --global preset-all
-  # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
-  # remove iptables-legacy. This is needed because alternatives don't work
-  # https://github.com/coreos/fedora-coreos-tracker/issues/677
-  # https://github.com/coreos/fedora-coreos-tracker/issues/676
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    ln -sf /usr/sbin/ip6tables-nft         /etc/alternatives/ip6tables
-    ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
-    ln -sf /usr/sbin/ip6tables-nft-save    /etc/alternatives/ip6tables-save
-    ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
-    ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
-    ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
   # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
   #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
   #      https://github.com/coreos/rpm-ostree/issues/3918
@@ -108,3 +95,6 @@ exclude-packages:
   # Do not use legacy ifcfg config format in NetworkManager
   # See https://github.com/coreos/fedora-coreos-config/pull/1991
   - NetworkManager-initscripts-ifcfg-rh
+  # Let's not have both legacy and nft versions in the image. Users are free to
+  # also layer legacy themselves if they want.
+  - iptables-legacy