In pfioctl, if the permission checks failed we returned with vnet context

set. As the checks don't require vnet context, this is fixed by setting vnet after the checks. PR: kern/160541 Submitted by: Nikos Vassiliadis (slightly different approach)
author: trociny <trociny@FreeBSD.org> 2012-12-15 17:19:36 +0000
committer: trociny <trociny@FreeBSD.org> 2012-12-15 17:19:36 +0000
commit: 8458a615d7b84536adea895daff3c00413734f8b (patch)
tree: 6ee50fd3b73fd29ff711ef3f68c84bdbde18283f /sys/netpfil/pf
parent: c3c1c81918dd701cfecb370f591746bacc907e4d (diff)
download: FreeBSD-src-8458a615d7b84536adea895daff3c00413734f8b.zip
FreeBSD-src-8458a615d7b84536adea895daff3c00413734f8b.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index a8b71d5..beb7ff8 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -963,8 +963,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 {
 	int			 error = 0;
 
-	CURVNET_SET(TD_TO_VNET(td));
-
 	/* XXX keep in sync with switch() below */
 	if (securelevel_gt(td->td_ucred, 2))
 		switch (cmd) {
@@ -1068,6 +1066,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			return (EACCES);
 		}
 
+	CURVNET_SET(TD_TO_VNET(td));
+
 	switch (cmd) {
 	case DIOCSTART:
 		PF_RULES_WLOCK();
author	trociny <trociny@FreeBSD.org>	2012-12-15 17:19:36 +0000
committer	trociny <trociny@FreeBSD.org>	2012-12-15 17:19:36 +0000
commit	8458a615d7b84536adea895daff3c00413734f8b (patch)
tree	6ee50fd3b73fd29ff711ef3f68c84bdbde18283f /sys/netpfil/pf
parent	c3c1c81918dd701cfecb370f591746bacc907e4d (diff)
download	FreeBSD-src-8458a615d7b84536adea895daff3c00413734f8b.zip FreeBSD-src-8458a615d7b84536adea895daff3c00413734f8b.tar.gz