From e2f00704928fd474cf2074a2931069d90d021087 Mon Sep 17 00:00:00 2001
From: Alessandro Boch <aboch@docker.com>
Date: Mon, 21 Nov 2016 22:02:07 -0800
Subject: [PATCH] Fix xtables_lock message probe

- iptables pkg functions are coded to discard
  the xtables_lock error message about acquiring
  the lock, because all the calls are done with
  the wait logic. But the error message has
  slightly changed between iptables 1.4.x and 1.6.
  This lead to false positives causing docker
  network create to fil in presence of concurrent calls.
- Fixed message mark to be common among the two main versions.

Signed-off-by: Alessandro Boch <aboch@docker.com>
---
 libnetwork/iptables/iptables.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libnetwork/iptables/iptables.go b/libnetwork/iptables/iptables.go
index 3884257361..e3a41b5564 100644
--- a/libnetwork/iptables/iptables.go
+++ b/libnetwork/iptables/iptables.go
@@ -45,6 +45,7 @@ var (
 	iptablesPath  string
 	supportsXlock = false
 	supportsCOpt  = false
+	xLockWaitMsg  = "Another app is currently holding the xtables lock; waiting"
 	// used to lock iptables commands if xtables lock is not supported
 	bestEffortLock sync.Mutex
 	// ErrIptablesNotFound is returned when the rule is not found.
@@ -402,7 +403,7 @@ func raw(args ...string) ([]byte, error) {
 	}
 
 	// ignore iptables' message about xtables lock
-	if strings.Contains(string(output), "waiting for it to exit") {
+	if strings.Contains(string(output), xLockWaitMsg) {
 		output = []byte("")
 	}