guestagent: `worthCheckingIPTables` logic seems incorrect

[AkihiroSuda]

lima/pkg/guestagent/guestagent_linux.go

Lines 56 to 74 in 6c5ee21

	if auditStatus.Enabled == 0 {
	logrus.Info("Enabling auditing")
	if err = auditClient.SetEnabled(true, libaudit.WaitForReply); err != nil {
	return nil, err
	}
	auditStatus, err := auditClient.GetStatus()
	if err != nil {
	return nil, err
	}
	if auditStatus.Enabled == 0 {
	if err = auditClient.SetEnabled(true, libaudit.WaitForReply); err != nil {
	return nil, err
	}
	}
	go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle)
	} else {
	a.worthCheckingIPTables = true
	}

lima/pkg/guestagent/guestagent_linux.go

Lines 85 to 87 in 6c5ee21

	if !supportsAuditing {
	a.worthCheckingIPTables = true
	}

The former part sets a.worthCheckingIPTables = true when audit is enabled.
OTOH, the latter one sets a.worthCheckingIPTables = true when audit is disabled.

[ashwat287]

When the agent starts and auditing is already enabled, the code sets a.worthCheckingIPTables = true and does not start setWorthCheckingIPTablesRoutine. The routine is the only place that later sets the flag to false or back to true on NETFILTER_CFG events. Because it is not started in this path, worthCheckingIPTables stays true permanently. The code path that would use the cached a.latestIPTables (the else branch when the flag is false) never executes. Only when the agent itself enables auditing (initially disabled case) does it launch the routine and allow the flag to change state. This creates inconsistent behavior between “auditing already enabled” and “auditing just enabled” starts.