From bc84cdaf11d1f4c5d30312a915ddb31cb9f146e7 Mon Sep 17 00:00:00 2001
From: Justin SB <justinsb@google.com>
Date: Sat, 13 Feb 2021 14:57:50 -0500
Subject: [PATCH] iptables: Use the lock when checking for existing rules

Otherwise we sometimes get an "in-use" message, telling us to use the
lock, if another iptables process is running concurrently.
---
 nodeup/pkg/model/firewall.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nodeup/pkg/model/firewall.go b/nodeup/pkg/model/firewall.go
index 6453bdbe4e..b87750b9db 100644
--- a/nodeup/pkg/model/firewall.go
+++ b/nodeup/pkg/model/firewall.go
@@ -73,13 +73,13 @@ func (b *FirewallBuilder) buildFirewallScript() *nodetasks.File {
 
 # The GCI image has host firewall which drop most inbound/forwarded packets.
 # We need to add rules to accept all TCP/UDP/ICMP packets.
-if iptables -L INPUT | grep "Chain INPUT (policy DROP)" > /dev/null; then
+if iptables -w -L INPUT | grep "Chain INPUT (policy DROP)" > /dev/null; then
 echo "Add rules to accept all inbound TCP/UDP/ICMP packets"
 iptables -A INPUT -w -p TCP -j ACCEPT
 iptables -A INPUT -w -p UDP -j ACCEPT
 iptables -A INPUT -w -p ICMP -j ACCEPT
 fi
-if iptables -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null; then
+if iptables -w -L FORWARD | grep "Chain FORWARD (policy DROP)" > /dev/null; then
 echo "Add rules to accept all forwarded TCP/UDP/ICMP packets"
 iptables -A FORWARD -w -p TCP -j ACCEPT
 iptables -A FORWARD -w -p UDP -j ACCEPT