svn commit: r326117 - head/sys/netpfil/ipfw

Thu Nov 23 07:05:27 UTC 2017

Author: ae
Date: Thu Nov 23 07:05:25 2017
New Revision: 326117
URL: https://svnweb.freebsd.org/changeset/base/326117

Log:
  Check that address family of state matches address family of packet.
  
  If it is not matched avoid comparing other state fields.
  
  Obtained from:	Yandex LLC
  MFC after:	1 week
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netpfil/ipfw/ip_fw_dynamic.c

Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c
==============================================================================

--- head/sys/netpfil/ipfw/ip_fw_dynamic.c	Thu Nov 23 06:04:57 2017	(r326116)
+++ head/sys/netpfil/ipfw/ip_fw_dynamic.c	Thu Nov 23 07:05:25 2017	(r326117)
@@ -609,6 +609,9 @@ lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int i
 		if (q->dyn_type == O_LIMIT_PARENT)
 			continue;
 
+		if (pkt->addr_type != q->id.addr_type)
+			continue;
+
 		if (pkt->proto != q->id.proto)
 			continue;
 
