[Devel] [PATCH RHEL7 COMMIT] fence-watchdog: fix wdog_tmo_mt_check return

[Konstantin Khorenko]

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.9
------>
commit df8ecba76631eecbf76bd7507935476565edf880
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Apr 14 13:10:46 2016 +0400

    fence-watchdog: fix wdog_tmo_mt_check return
    
    After commit bd414ee605ff ("netfilter: xtables: change matches to
    return error code") match check must return 0 on success and -error
    on fail, see xt_check_match.
    
    Instead of restricting the use in CT, old check prohibited use of match
    from host. e.g. with xtables_wdog_tmo package installed on host:
    
      iptables -A INPUT -m wdog_tmo -j DROP
      iptables: Input/output error.
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/netfilter/xt_wdog_tmo.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
index 29b1fc0..6d731ea 100644
--- a/net/netfilter/xt_wdog_tmo.c
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -21,7 +21,9 @@ wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
 int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
 {
 
-	return ve_is_super(get_exec_env());
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+	return 0;
 }
 
 static struct xt_match wdog_tmo_mt_reg __read_mostly = {