[Devel] [PATCH RH7] fence-watchdog: fix wdog_tmo_mt_check return

[Pavel Tikhomirov]

After commit bd414ee605ff ("netfilter: xtables: change matches to
return error code") match check must return 0 on success and -error
on fail, see xt_check_match.

Instead of restricting the use in CT, old check prohibited use of match
from host. e.g. with xtables_wdog_tmo package installed on host:
  iptables -A INPUT -m wdog_tmo -j DROP
  iptables: Input/output error.

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/netfilter/xt_wdog_tmo.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
index 29b1fc0..6d731ea 100644
--- a/net/netfilter/xt_wdog_tmo.c
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -21,7 +21,9 @@ wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
 int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
 {
 
-	return ve_is_super(get_exec_env());
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+	return 0;
 }
 
 static struct xt_match wdog_tmo_mt_reg __read_mostly = {
-- 
1.9.3