pknock: add_rule must happen after info struct checks

This avoids unnecessarily creating pknock rules if there is an error
with any of the match parameters.

diff --git a/extensions/xt_pknock.c b/extensions/xt_pknock.c
index 97ccec3b37fc028a753d89773b5e911093785948..bb65312ee42a26e359aebbdfa7a37f57bbaa6f86 100644 (file)
--- a/extensions/xt_pknock.c
+++ b/extensions/xt_pknock.c
@@ -1034,9 +1034,6 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
                get_random_bytes(&ipt_pknock_hash_rnd, sizeof (ipt_pknock_hash_rnd));
        }
 
-       if (!add_rule(info))
-               RETURN_ERR("add_rule() error in checkentry() function.\n");
-
        if (!(info->option & XT_PKNOCK_NAME))
                RETURN_ERR("You must specify --name option.\n");
 
@@ -1081,6 +1078,9 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
        }
 #endif
 
+       if (!add_rule(info))
+               RETURN_ERR("add_rule() error in checkentry() function.\n");
+
        return true;
 }