From df891bff3b725a4ae0cf78c5c81f373e93de6bb6 Mon Sep 17 00:00:00 2001
From: Dan Winship <danwinship@redhat.com>
Date: Tue, 1 Aug 2023 11:22:28 -0400
Subject: [PATCH] Further fixes to IsNotExist

The last fix handled iptables-legacy but not iptables-nft.

Also, apparently since this is a weird "can't happen" race condition,
iptables exits with status 2 rather than 1, so remove that check.
---
 iptables/iptables.go | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/iptables/iptables.go b/iptables/iptables.go
index e95929c..6a6d380 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -45,15 +45,21 @@ func (e *Error) Error() string {
 	return fmt.Sprintf("running %v: exit status %v: %v", e.cmd.Args, e.ExitStatus(), e.msg)
 }
 
+var isNotExistPatterns = []string{
+	"Bad rule (does a matching rule exist in that chain?).\n",
+	"No chain/target/match by that name.\n",
+	"No such file or directory",
+	"does not exist",
+}
+
 // IsNotExist returns true if the error is due to the chain or rule not existing
 func (e *Error) IsNotExist() bool {
-	if e.ExitStatus() != 1 {
-		return false
+	for _, str := range isNotExistPatterns {
+		if strings.Contains(e.msg, str) {
+			return true
+		}
 	}
-	msgNoRuleExist := "Bad rule (does a matching rule exist in that chain?).\n"
-	msgNoChainExist := "No chain/target/match by that name.\n"
-	msgENOENT := "No such file or directory"
-	return strings.Contains(e.msg, msgNoRuleExist) || strings.Contains(e.msg, msgNoChainExist) || strings.Contains(e.msg, msgENOENT)
+	return false
 }
 
 // Protocol to differentiate between IPv4 and IPv6