From 3ffffc0cffb14295d7a551896b9b69290c6f4ff0 Mon Sep 17 00:00:00 2001
From: Phil Estes <estesp@linux.vnet.ibm.com>
Date: Tue, 20 Jan 2015 18:05:39 -0500
Subject: [PATCH] Move iptables check out of runtime init() to separate
 function

Due to the iptables package being `init`ed at start of the docker
runtime, this means the iptables --wait command listing all rules
is run, no matter if the command is simply "docker -h".  It makes
more sense to both locate the iptables command and check for the
wait flag support at the time iptables is actually used, as it
may not be used at all if certain network support is off/configured
differently.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
---
 iptables/iptables.go | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/iptables/iptables.go b/iptables/iptables.go
index 90ccbef..010c99b 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -24,6 +24,7 @@ const (
 )
 
 var (
+	iptablesPath        string
 	supportsXlock       = false
 	ErrIptablesNotFound = errors.New("Iptables not found")
 )
@@ -43,8 +44,17 @@ func (e *ChainError) Error() string {
 	return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output))
 }
 
-func init() {
-	supportsXlock = exec.Command("iptables", "--wait", "-L", "-n").Run() == nil
+func initCheck() error {
+
+	if iptablesPath == "" {
+		path, err := exec.LookPath("iptables")
+		if err != nil {
+			return ErrIptablesNotFound
+		}
+		iptablesPath = path
+		supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil
+	}
+	return nil
 }
 
 func NewChain(name, bridge string, table Table) (*Chain, error) {
@@ -258,18 +268,17 @@ func Exists(args ...string) bool {
 
 // Call 'iptables' system command, passing supplied arguments
 func Raw(args ...string) ([]byte, error) {
-	path, err := exec.LookPath("iptables")
-	if err != nil {
-		return nil, ErrIptablesNotFound
-	}
 
+	if err := initCheck(); err != nil {
+		return nil, err
+	}
 	if supportsXlock {
 		args = append([]string{"--wait"}, args...)
 	}
 
-	log.Debugf("%s, %v", path, args)
+	log.Debugf("%s, %v", iptablesPath, args)
 
-	output, err := exec.Command(path, args...).CombinedOutput()
+	output, err := exec.Command(iptablesPath, args...).CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
 	}