Update Buster requirements.

iproute2 needs to be explicitly installed, the iptables alternative needs to
iptables-legacy.

Dockerfile

@@ -15,9 +15,6 @@ RUN strip $GOPATH/bin/openvpn_exporter
 
 FROM registry.git.autistici.org/ai3/docker/chaperone-base:buster
 
-# needed for buster, but chaperone-base image is still stretch
-#RUN update-alternatives --set iptables /usr/sbin/iptables-legacy
-
 COPY --from=build /shapeshifter-dispatcher/shapeshifter-dispatcher /usr/local/bin/shapeshifter-dispatcher
 COPY --from=build /usr/sbin/openvpn /usr/sbin/openvpn
 COPY --from=build /go/bin/openvpn_exporter /usr/local/bin/openvpn_exporter
@@ -25,8 +22,10 @@ COPY chaperone.d/ /etc/chaperone.d
 RUN echo "deb http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_9.0/ /" > /etc/apt/sources.list.d/knot.list
 COPY cznic-obs.gpg /etc/apt/trusted.gpg.d
 RUN apt-get -q update && env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        openvpn libcap2-bin netcat-openbsd iptables knot-resolver knot-resolver-module-http \
+libcap2-bin netcat-openbsd iptables iproute2 knot-resolver \
+knot-resolver-module-http \
 && rm -rf /var/lib/apt/lists/*
 RUN setcap cap_net_admin,cap_net_bind_service+ep /usr/sbin/openvpn
 RUN setcap cap_net_admin+ep /bin/ip
 RUN setcap cap_net_bind_service+ep /usr/sbin/kresd
+RUN update-alternatives --set iptables /usr/sbin/iptables-legacy