iptables: Change locking semantics.

Instead of acquiring a lock before we parse any commands and
holding on to it until the process terminates, we now acquire
the lock when a new table handle is created (on encountering
'*') and release the lock when the table is committed
(COMMIT). The "-w" option continues to apply.

Note that support for -w in iptables[6]-restore has not been
sent upstream yet, so this patch should be sent at the same time
as that one.

Bug: 32323979
Test: manual

Signed-off-by: Narayan Kamath <narayan@google.com>
Change-Id: I10094290eff834e076bb03d53e40eae9b96c1fae
6 files changed