From 9d1554002206925ae86b94c242d3eca635c57aae Mon Sep 17 00:00:00 2001
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Thu, 23 Nov 2017 07:05:25 +0000
Subject: [PATCH] Check that address family of state matches address family of
 packet.

If it is not matched avoid comparing other state fields.

Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC
---
 sys/netpfil/ipfw/ip_fw_dynamic.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c
index 9f8a2a3b449f..504e33d176a5 100644
--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -609,6 +609,9 @@ lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int i, int *match_direction,
 		if (q->dyn_type == O_LIMIT_PARENT)
 			continue;
 
+		if (pkt->addr_type != q->id.addr_type)
+			continue;
+
 		if (pkt->proto != q->id.proto)
 			continue;