From 8b9778777b1bd7dd5011a5dc6ecd7d7f4a998b85 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Apr 24 2024 20:00:51 +0000
Subject: iptables: correct invalid syntax in nat table


This `[0:]` syntax doesn't seem to be correct. iptables 1.8.10
errors out on encountering it, saying:

invalid policy counters for chain 'PREROUTING'

this seems to be because the check was tightened between 1.8.9
and 1.8.10 to apply even when iptables is not actively restoring
the counters:
https://git.netfilter.org/iptables/commit/?id=4a2b2008fdf4df980433f99a6d8f2003f2005296

I think these are all meant to be 0:0, so let's make them that
and stop iptables choking.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

---

diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index ab4f4fe..b084d19 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -116,8 +116,8 @@ COMMIT
 
 {% if nat_rules %}
 *nat
-:PREROUTING ACCEPT [0:]
-:INPUT ACCEPT [0:]
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]