fix(NSC): clear IPVS firewall chain for all IP families when ipvsPermitAll is false

[Aprazor]

What type of PR is this?

bug

What this PR does / why we need it:

On dual-stack nodes, setupIpvsFirewall() loops over both IPv4 and IPv6 iptables handlers. When ipvsPermitAll is false, the function used return nil after clearing the chain for the first IP family, which skipped the second family entirely — leaving one family's firewall chain unconfigured.

The fix changes return nil to continue so both IP families have their chains properly cleared.

Which issue(s) this PR is related to:

None found.

Was AI used during the creation of this PR?

• What tool was used: Claude Code
• To what extent was the tool used? Code review identified the logic error in the dual-stack loop, human reviewed and confirmed the one-word fix
• If drafted, how detailed of a plan did you create for the AI? Detailed — identified the exact control flow issue in the loop, confirmed the second IP family was being skipped
• Help us understand if a human was in the loop or not for this PR? Yes — human confirmed the finding, reviewed the diff, and approved before submission

What, if any, amount of integration testing was done with this change in a Kubernetes environment?

Unit tests pass. No integration testing — the bug only manifests on dual-stack nodes with ipvsPermitAll=false.

Does this PR introduce a breaking change?

NONE

Anything else the reviewer should know that wasn't already covered?

This is a one-word change: return nil → continue. The bug would cause asymmetric firewall behavior on dual-stack clusters where only one IP family's IPVS firewall chain gets cleared.

[aauren]

Hi @Aprazor — please see my comment on #2020 (#2020 (comment)) for feedback on how to consolidate your PRs. Thanks!

[Aprazor]

Superseded by #2041 (consolidated NSC PR per @aauren's feedback)