After commit bd414ee605ff ("netfilter: xtables: change matches to
return error code") match check must return 0 on success and -error
on fail, see xt_check_match.Instead of restricting the use in CT, old check prohibited use of match from host. e.g. with xtables_wdog_tmo package installed on host: iptables -A INPUT -m wdog_tmo -j DROP iptables: Input/output error. Signed-off-by: Pavel Tikhomirov <[email protected]> --- net/netfilter/xt_wdog_tmo.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c index 29b1fc0..6d731ea 100644 --- a/net/netfilter/xt_wdog_tmo.c +++ b/net/netfilter/xt_wdog_tmo.c @@ -21,7 +21,9 @@ wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par) int wdog_tmo_mt_check(const struct xt_mtchk_param *par) { - return ve_is_super(get_exec_env()); + if (!ve_is_super(get_exec_env())) + return -EPERM; + return 0; } static struct xt_match wdog_tmo_mt_reg __read_mostly = { -- 1.9.3 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
