In pfioctl, if the permission checks failed we returned with vnet context

set. As the checks don't require vnet context, this is fixed by setting vnet after the checks. PR: kern/160541 Submitted by: Nikos Vassiliadis (slightly different approach)
2012-12-15 17:19:36 +00:00 · 2012-12-15 17:19:36 +00:00 · bf1e95a21c
commit bf1e95a21c
parent 6f1cbda73d
1 changed files with 2 additions and 2 deletions
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -963,8 +963,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 {
 	int			 error = 0;

-	CURVNET_SET(TD_TO_VNET(td));
-
 	/* XXX keep in sync with switch() below */
 	if (securelevel_gt(td->td_ucred, 2))
 		switch (cmd) {
@ -1068,6 +1066,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			return (EACCES);
 		}

+	CURVNET_SET(TD_TO_VNET(td));
+
 	switch (cmd) {
 	case DIOCSTART:
 		PF_RULES_WLOCK();