From bf1e95a21c807e08bbfb58bd449dd0d98f0b53c3 Mon Sep 17 00:00:00 2001
From: Mikolaj Golub <trociny@FreeBSD.org>
Date: Sat, 15 Dec 2012 17:19:36 +0000
Subject: [PATCH] In pfioctl, if the permission checks failed we returned with
 vnet context set.

As the checks don't require vnet context, this is fixed by setting
vnet after the checks.

PR:		kern/160541
Submitted by:	Nikos Vassiliadis (slightly different approach)
---
 sys/netpfil/pf/pf_ioctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index a8b71d50d7b..beb7ff8ca7a 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -963,8 +963,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 {
 	int			 error = 0;
 
-	CURVNET_SET(TD_TO_VNET(td));
-
 	/* XXX keep in sync with switch() below */
 	if (securelevel_gt(td->td_ucred, 2))
 		switch (cmd) {
@@ -1068,6 +1066,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			return (EACCES);
 		}
 
+	CURVNET_SET(TD_TO_VNET(td));
+
 	switch (cmd) {
 	case DIOCSTART:
 		PF_RULES_WLOCK();