From 1e8a6318854c65e8ee05c89d365bb303f33528f1 Mon Sep 17 00:00:00 2001
From: Rayson Zhu <vfreex+github@gmail.com>
Date: Mon, 14 Nov 2016 04:47:33 -0600
Subject: [PATCH] fix permission check on operating iptables (#947)

---
 src/acl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/acl.c b/src/acl.c
index 76d76170..155bb145 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -130,7 +130,11 @@ init_firewall()
     if (pclose(fp) == 0) {
         mode = FIREWALLD_MODE;
     } else {
-        sprintf(cli, "iptables --version 2>&1");
+        /* Check whether we have permission to operate iptables. 
+	 * Note that checking `iptables --version` is insufficient:
+         * eg, running within a child user namespace.
+	 */
+        sprintf(cli, "iptables -L 2>&1");
         fp = popen(cli, "r");
         if (fp == NULL)
             return -1;