diff --git a/SOURCES/bz1409513-portblock-wait.patch b/SOURCES/bz1409513-portblock-wait.patch
new file mode 100644
index 0000000..b57e5cf
--- /dev/null
+++ b/SOURCES/bz1409513-portblock-wait.patch
@@ -0,0 +1,114 @@
+From 14b45df580668220cf97744df93cb9ee5484a14e Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Thu, 8 Dec 2016 11:18:10 +0100
+Subject: [PATCH 1/2] portblock: Use -w (wait) to avoid "insufficient
+ privileges" error
+
+---
+ heartbeat/portblock | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/heartbeat/portblock b/heartbeat/portblock
+index c480954..e7de217 100755
+--- a/heartbeat/portblock
++++ b/heartbeat/portblock
+@@ -242,7 +242,7 @@ active_grep_pat()
+ chain_isactive()
+ {
+   PAT=`active_grep_pat "$1" "$2" "$3"`
+-  $IPTABLES -n -L INPUT | grep "$PAT" >/dev/null
++  $IPTABLES -w -n -L INPUT | grep "$PAT" >/dev/null
+ }
+ 
+ save_tcp_connections()
+@@ -370,13 +370,13 @@ IptablesBLOCK()
+     : OK -- chain already active
+   else
+     if $try_reset ; then
+-      $IPTABLES -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
++      $IPTABLES -w -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
+       tickle_local
+     fi
+-    $IPTABLES -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
++    $IPTABLES -w -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
+     rc=$?
+     if $try_reset ; then
+-      $IPTABLES -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
++      $IPTABLES -w -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
+     fi
+   fi
+ 
+@@ -389,7 +389,7 @@ IptablesUNBLOCK()
+   if
+     chain_isactive "$1" "$2" "$3"
+   then
+-    $IPTABLES -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
++    $IPTABLES -w -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
+   else
+     : Chain Not active
+   fi
+
+From 57d31bc04a0421cf2746830d5e987e52f9f9acd3 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Fri, 9 Dec 2016 13:57:49 +0100
+Subject: [PATCH 2/2] portblock: version check for -w
+
+---
+ heartbeat/portblock | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/heartbeat/portblock b/heartbeat/portblock
+index e7de217..92f7071 100755
+--- a/heartbeat/portblock
++++ b/heartbeat/portblock
+@@ -242,7 +242,7 @@ active_grep_pat()
+ chain_isactive()
+ {
+   PAT=`active_grep_pat "$1" "$2" "$3"`
+-  $IPTABLES -w -n -L INPUT | grep "$PAT" >/dev/null
++  $IPTABLES $wait -n -L INPUT | grep "$PAT" >/dev/null
+ }
+ 
+ save_tcp_connections()
+@@ -370,13 +370,13 @@ IptablesBLOCK()
+     : OK -- chain already active
+   else
+     if $try_reset ; then
+-      $IPTABLES -w -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
++      $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
+       tickle_local
+     fi
+-    $IPTABLES -w -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
++    $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
+     rc=$?
+     if $try_reset ; then
+-      $IPTABLES -w -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
++      $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset
+     fi
+   fi
+ 
+@@ -389,7 +389,7 @@ IptablesUNBLOCK()
+   if
+     chain_isactive "$1" "$2" "$3"
+   then
+-    $IPTABLES -w -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
++    $IPTABLES $wait -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
+   else
+     : Chain Not active
+   fi
+@@ -526,6 +526,15 @@ if [ -z "$OCF_RESKEY_action" ]; then
+   exit $OCF_ERR_CONFIGURED
+ fi 
+ 
++# iptables v1.4.20+ is required to use -w (wait)
++version=$(iptables -V | awk -F ' v' '{print $NF}')
++ocf_version_cmp "$version" "1.4.19.1"
++if [ "$?" -eq "2" ]; then
++    wait="-w"
++else
++    wait=""
++fi
++
+ protocol=$OCF_RESKEY_protocol
+ portno=$OCF_RESKEY_portno
+ action=$OCF_RESKEY_action
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 6aee971..f87e8f1 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -32,7 +32,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	3.9.5
-Release:	82%{?dist}.3
+Release:	82%{?dist}.4
 License:	GPLv2+, LGPLv2+ and ASL 2.0
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -172,6 +172,7 @@ Patch127:	bz1391495-nfsserver-keep-options.patch
 Patch128:	bz1394296-redis-fix-selinux-permissions.patch
 Patch129:	bz1400103-redis-notify-clients-of-master-being-demoted.patch
 Patch130:	bz1400103-nova-compute-wait-nova-compute-unfence.patch
+Patch131:	bz1409513-portblock-wait.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -194,31 +195,35 @@ BuildRequires: libnet-devel
 %endif
 
 ## Runtime deps
-## These apply to rgmanager agents only to guarantee agents
-## are functional
-%if %{with rgmanager}
 # system tools shared by several agents
 Requires: /bin/bash /bin/grep /bin/sed /bin/gawk
-Requires: /bin/ps /usr/bin/pkill /bin/hostname
-Requires: /sbin/fuser
-Requires: /sbin/findfs /bin/mount
+Requires: /bin/ps /usr/bin/pkill /bin/hostname /bin/netstat
+Requires: /usr/sbin/fuser /bin/mount
 
-# fs.sh
-Requires: /sbin/quotaon /sbin/quotacheck
+# Filesystem / fs.sh / netfs.sh
 Requires: /sbin/fsck
 Requires: /usr/sbin/fsck.ext2 /usr/sbin/fsck.ext3 /usr/sbin/fsck.ext4
 Requires: /usr/sbin/fsck.xfs
+Requires: /sbin/mount.nfs /sbin/mount.nfs4 /usr/sbin/mount.cifs
 
-# ip.sh
-Requires: /sbin/ip /usr/sbin/ethtool
-Requires: /sbin/rdisc /usr/sbin/arping /bin/ping /bin/ping6
+# IPaddr2
+Requires: /sbin/ip
 
-# lvm.sh
+# LVM / lvm.sh
 Requires: /usr/sbin/lvm
 
-# netfs.sh
-Requires: /sbin/mount.nfs /sbin/mount.nfs4 /usr/sbin/mount.cifs
+# nfsserver / netfs.sh
 Requires: /usr/sbin/rpc.nfsd /sbin/rpc.statd /usr/sbin/rpc.mountd
+
+# rgmanager
+%if %{with rgmanager}
+# ip.sh
+Requires: /usr/sbin/ethtool
+Requires: /sbin/rdisc /usr/sbin/arping /bin/ping /bin/ping6
+
+# nfsexport.sh
+Requires: /sbin/findfs
+Requires: /sbin/quotaon /sbin/quotacheck
 %endif
 
 ## Runtime dependencies required to guarantee heartbeat agents
@@ -409,6 +414,7 @@ exit 1
 %patch128 -p1
 %patch129 -p1
 %patch130 -p1
+%patch131 -p1
 
 %build
 if [ ! -f configure ]; then
@@ -663,6 +669,12 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %endif
 
 %changelog
+* Tue Jan  3 2017 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.9.5-82.4
+- portblock: use iptables wait
+- Add netstat dependency
+
+  Resolves: rhbz#1409513
+
 * Wed Nov 30 2016 Oyvind Albrigtsen <oalbrigt@redhat.com> - 3.9.5-82.3
 - redis: notify clients of master being demoted