Bug allows deletion of system default chains

This conditional statement allows deletion of system default chains:

Lines 227 to 238 in fef8459

    
           if r.Spec.IsDefaultChain { 
        
           	for _, rs := range r.RuleSpecs { 
        
           		if err := r.IPT.Delete(r.Spec.TableName, r.Spec.ChainName, rs...); err != nil { 
        
           			if eerr, eok := err.(*iptables.Error); !eok || eerr.ExitStatus() != 2 { 
        
           				// TODO: better handling the error 
        
           				if !strings.Contains(eerr.Error(), "No chain/target/match") { 
        
           					return err 
        
           				} 
        
           			} 
        
           		} 
        
           	} 
        
           }

Which contradicts this comment:

netd/pkg/config/config.go

Lines 83 to 88 in fef8459

    
           // IPTablesChainSpec defines iptable chain 
        
           type IPTablesChainSpec struct { 
        
           	TableName, ChainName string 
        
           	IsDefaultChain       bool // Is a System default chain, if yes, we won't delete it. 
        
           	IPT                  iptabler 
        
           }

Seems to be a bug? (the conditional should be negated)

Never mind, this logic deletes the rules that were added to system default chains, which is correct. It does not delete rules of a non-system-default chain because it should have already been deleted in the ensure function (above this Ensure function).

	if r.Spec.IsDefaultChain {
	for _, rs := range r.RuleSpecs {
	if err := r.IPT.Delete(r.Spec.TableName, r.Spec.ChainName, rs...); err != nil {
	if eerr, eok := err.(*iptables.Error); !eok \|\| eerr.ExitStatus() != 2 {
	// TODO: better handling the error
	if !strings.Contains(eerr.Error(), "No chain/target/match") {
	return err
	}
	}
	}
	}
	}

	// IPTablesChainSpec defines iptable chain
	type IPTablesChainSpec struct {
	TableName, ChainName string
	IsDefaultChain bool // Is a System default chain, if yes, we won't delete it.
	IPT iptabler
	}