From 5e8285b08120f674b12a34c3f146216f6854a173 Mon Sep 17 00:00:00 2001
From: Phil Estes <estesp@linux.vnet.ibm.com>
Date: Tue, 20 Jan 2015 18:05:39 -0500
Subject: [PATCH] Move iptables check out of runtime init() to separate
 function

Due to the iptables package being `init`ed at start of the docker
runtime, this means the iptables --wait command listing all rules
is run, no matter if the command is simply "docker -h".  It makes
more sense to both locate the iptables command and check for the
wait flag support at the time iptables is actually used, as it
may not be used at all if certain network support is off/configured
differently.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
---
 pkg/iptables/iptables.go | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/pkg/iptables/iptables.go b/pkg/iptables/iptables.go
index 90ccbeff57..010c99b15c 100644
--- a/pkg/iptables/iptables.go
+++ b/pkg/iptables/iptables.go
@@ -24,6 +24,7 @@ const (
 )
 
 var (
+	iptablesPath        string
 	supportsXlock       = false
 	ErrIptablesNotFound = errors.New("Iptables not found")
 )
@@ -43,8 +44,17 @@ func (e *ChainError) Error() string {
 	return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output))
 }
 
-func init() {
-	supportsXlock = exec.Command("iptables", "--wait", "-L", "-n").Run() == nil
+func initCheck() error {
+
+	if iptablesPath == "" {
+		path, err := exec.LookPath("iptables")
+		if err != nil {
+			return ErrIptablesNotFound
+		}
+		iptablesPath = path
+		supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil
+	}
+	return nil
 }
 
 func NewChain(name, bridge string, table Table) (*Chain, error) {
@@ -258,18 +268,17 @@ func Exists(args ...string) bool {
 
 // Call 'iptables' system command, passing supplied arguments
 func Raw(args ...string) ([]byte, error) {
-	path, err := exec.LookPath("iptables")
-	if err != nil {
-		return nil, ErrIptablesNotFound
-	}
 
+	if err := initCheck(); err != nil {
+		return nil, err
+	}
 	if supportsXlock {
 		args = append([]string{"--wait"}, args...)
 	}
 
-	log.Debugf("%s, %v", path, args)
+	log.Debugf("%s, %v", iptablesPath, args)
 
-	output, err := exec.Command(path, args...).CombinedOutput()
+	output, err := exec.Command(iptablesPath, args...).CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
 	}