doc/share/security/patches/EN-17:08/pf.patch

--- sys/netpfil/pf/pf.c.orig
+++ sys/netpfil/pf/pf.c
@@ -129,6 +129,8 @@
 #define	V_pf_tcp_secret_init		 VNET(pf_tcp_secret_init)
 VNET_DEFINE(int,			 pf_tcp_iss_off);
 #define	V_pf_tcp_iss_off		 VNET(pf_tcp_iss_off)
+VNET_DECLARE(int,			 pf_vnet_active);
+#define	V_pf_vnet_active		 VNET(pf_vnet_active)
 
 /*
  * Queue for pf_intr() sends.
@@ -1441,6 +1443,12 @@
 			kproc_exit(0);
 		}
 
+		/* Wait while V_pf_default_rule.timeout is initialized. */
+		if (V_pf_vnet_active == 0) {
+			CURVNET_RESTORE();
+			continue;
+		}
+
 		/* Process 1/interval fraction of the state table every run. */
 		idx = pf_purge_expired_states(idx, pf_hashmask /
 			    (V_pf_default_rule.timeout[PFTM_INTERVAL] * 10));