Add warning when xtables contention detected

Include original output in the warning.  Also slightly truncate the
search string as it appears that the suffix will be changing in
the near future.

Signed-off-by: Chris Telfer <ctelfer@docker.com>

iptables/iptables.go

@@ -45,7 +45,7 @@ var (
 	iptablesPath  string
 	supportsXlock = false
 	supportsCOpt  = false
-	xLockWaitMsg  = "Another app is currently holding the xtables lock; waiting"
+	xLockWaitMsg  = "Another app is currently holding the xtables lock"
 	// used to lock iptables commands if xtables lock is not supported
 	bestEffortLock sync.Mutex
 	// ErrIptablesNotFound is returned when the rule is not found.
@@ -423,11 +423,13 @@ func existsRaw(table Table, chain string, rule ...string) bool {
 	return strings.Contains(string(existingRules), ruleString)
 }
 
-func filterOutput(output []byte) []byte {
+func filterOutput(output []byte, args ...string) []byte {
 	// ignore iptables' message about xtables lock
 	if strings.Contains(string(output), xLockWaitMsg) {
+		logrus.Warnf("xtables contention detected while running [%s]: %q", strings.Join(args, " "), string(output))
 		output = []byte("")
 	}
+	// Put further filters here if desired
 	return output
 }
 
@@ -436,7 +438,7 @@ func Raw(args ...string) ([]byte, error) {
 	if firewalldRunning {
 		output, err := Passthrough(Iptables, args...)
 		if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") {
-			return filterOutput(output), err
+			return filterOutput(output, args...), err
 		}
 	}
 	return raw(args...)
@@ -460,7 +462,7 @@ func raw(args ...string) ([]byte, error) {
 		return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
 	}
 
-	return filterOutput(output), err
+	return filterOutput(output, args...), err
 }
 
 // RawCombinedOutput inernally calls the Raw function and returns a non nil