svn commit: r326117 - head/sys/netpfil/ipfw

[Andrey V. Elsukov]

Author: ae
Date: Thu Nov 23 07:05:25 2017
New Revision: 326117
URL: https://svnweb.freebsd.org/changeset/base/326117

Log:
  Check that address family of state matches address family of packet.
  
  If it is not matched avoid comparing other state fields.
  
  Obtained from:        Yandex LLC
  MFC after:    1 week
  Sponsored by: Yandex LLC

Modified:
  head/sys/netpfil/ipfw/ip_fw_dynamic.c

Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_dynamic.c       Thu Nov 23 06:04:57 2017        
(r326116)
+++ head/sys/netpfil/ipfw/ip_fw_dynamic.c       Thu Nov 23 07:05:25 2017        
(r326117)
@@ -609,6 +609,9 @@ lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int i
                if (q->dyn_type == O_LIMIT_PARENT)
                        continue;
 
+               if (pkt->addr_type != q->id.addr_type)
+                       continue;
+
                if (pkt->proto != q->id.proto)
                        continue;
 
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"