Make sure all iptables commands use -w iptables invocations that happen in parallel can "collide" with each other, resulting in intermittent failures. The `-w` flag prevents this. BUG=chromium:646827 TEST=`FEATURES=test emerge-link firewalld` Change-Id: Id0f8d982379b3dcaa87a08add8e24f434e0f0ae8 Reviewed-on: https://chromium-review.googlesource.com/391041 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Luigi Semenzato <semenzato@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

commit: 87c3339226126dfdbd70c7e7cd5fd35d599affba [log] [tgz]
author: Kevin Cernekee <cernekee@google.com> Thu Sep 29 23:56:28 2016
committer: chrome-bot <chrome-bot@chromium.org> Sat Oct 01 07:01:48 2016
tree: 3da37bd7a1af3b67de9d607d7f5f304bc2fba749
parent: b1ad0373613728b9f2457d2d04d4b7338537c16c [diff]
diff --git a/iptables.cc b/iptables.cc
index 915a1ac..e8ca006 100644
--- a/iptables.cc
+++ b/iptables.cc

@@ -387,6 +387,7 @@
   argv.push_back(interface);
   argv.push_back("-j");
   argv.push_back("MASQUERADE");
+  argv.push_back("-w");  // Wait for xtables lock
 
   // Use CAP_NET_ADMIN|CAP_NET_RAW.
   if (ExecvNonRoot(argv, kIpTablesCapMask) != 0) {
@@ -442,6 +443,7 @@
   argv.push_back("MARK");
   argv.push_back("--set-mark");
   argv.push_back(kMarkForUserTraffic);
+  argv.push_back("-w");  // Wait for xtables lock
 
   // Use CAP_NET_ADMIN|CAP_NET_RAW.
   bool success = ExecvNonRoot(argv, kIpTablesCapMask) == 0;
commit	87c3339226126dfdbd70c7e7cd5fd35d599affba	[log] [tgz]
author	Kevin Cernekee <cernekee@google.com>	Thu Sep 29 23:56:28 2016
committer	chrome-bot <chrome-bot@chromium.org>	Sat Oct 01 07:01:48 2016
tree	3da37bd7a1af3b67de9d607d7f5f304bc2fba749
parent	b1ad0373613728b9f2457d2d04d4b7338537c16c [diff]