diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -236,6 +236,11 @@
 	{ IPSO_CLASS_RES1,	0x80 }
 };
 
+/*
+ * Internal errors set by ipf_check_names_string().
+ */
+static int interr_tbl[3] = { 152, 156, 153};
+
 char	ipfilter_version[] = IPL_VERSION;
 
 int	ipf_features = 0
@@ -3932,6 +3937,21 @@
 			fr->fr_ifas[i] = ipf_resolvenic(softc, name, v);
 		}
 
+		/*
+		 * We do the validation for fr_sifpidx here because it is a
+		 * union that contains an offset only when fr_sifpidx points
+		 * to an interface name, an offset into fr_names. The union
+		 * is  an offset into fr_names in this case only.
+		 *
+		 * Note that sifpidx is only used in ipf_sync() which
+		 * implments ipf -y.
+		 */
+		if ((interr = ipf_check_names_string(fp->fr_names, fp->fr_namelen, fp->fr_sifpidx)) != 0) {
+			IPFERROR(interr_tbl[interr-1]);
+			error = EINVAL;
+			goto unwind;
+		}
+
 		if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) {
 			if (fr->fr_satype != FRI_NORMAL &&
 			    fr->fr_satype != FRI_LOOKUP) {
@@ -4404,7 +4424,6 @@
 	int set, int makecopy)
 {
 	int error = 0, in, family, need_free = 0, interr, i;
-	int interr_tbl[3] = { 152, 156, 153};
 	enum {	OP_ADD,		/* add rule */
 		OP_REM,		/* remove rule */
 		OP_ZERO 	/* zero statistics and counters */ }