netfilter: xt_socket: enable defrag after all other checks

Originally this did not matter because defrag was enabled once per netns
and only disabled again on netns dismantle.  When this got changed I should
have adjusted checkentry to not leave defrag enabled on error.

Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 76e01f292aaff638f8c9c37583bc33b3ea942b65..811e53bee4085bcdd556f4f714afb669e0351e6c 100644 (file)
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -168,52 +168,41 @@ static int socket_mt_enable_defrag(struct net *net, int family)
 static int socket_mt_v1_check(const struct xt_mtchk_param *par)
 {
        const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
-       int err;
-
-       err = socket_mt_enable_defrag(par->net, par->family);
-       if (err)
-               return err;
 
        if (info->flags & ~XT_SOCKET_FLAGS_V1) {
                pr_info_ratelimited("unknown flags 0x%x\n",
                                    info->flags & ~XT_SOCKET_FLAGS_V1);
                return -EINVAL;
        }
-       return 0;
+
+       return socket_mt_enable_defrag(par->net, par->family);
 }
 
 static int socket_mt_v2_check(const struct xt_mtchk_param *par)
 {
        const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo;
-       int err;
-
-       err = socket_mt_enable_defrag(par->net, par->family);
-       if (err)
-               return err;
 
        if (info->flags & ~XT_SOCKET_FLAGS_V2) {
                pr_info_ratelimited("unknown flags 0x%x\n",
                                    info->flags & ~XT_SOCKET_FLAGS_V2);
                return -EINVAL;
        }
-       return 0;
+
+       return socket_mt_enable_defrag(par->net, par->family);
 }
 
 static int socket_mt_v3_check(const struct xt_mtchk_param *par)
 {
        const struct xt_socket_mtinfo3 *info =
                                    (struct xt_socket_mtinfo3 *)par->matchinfo;
-       int err;
 
-       err = socket_mt_enable_defrag(par->net, par->family);
-       if (err)
-               return err;
        if (info->flags & ~XT_SOCKET_FLAGS_V3) {
                pr_info_ratelimited("unknown flags 0x%x\n",
                                    info->flags & ~XT_SOCKET_FLAGS_V3);
                return -EINVAL;
        }
-       return 0;
+
+       return socket_mt_enable_defrag(par->net, par->family);
 }
 
 static void socket_mt_destroy(const struct xt_mtdtor_param *par)