git: 120c0bb83397 - main - divert: Update divert.4 to mention pf
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 27 Jan 2026 14:05:05 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=120c0bb833977707fc56f59b0961994fbd6c52e7
commit 120c0bb833977707fc56f59b0961994fbd6c52e7
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-01-27 13:48:22 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-01-27 14:04:48 +0000
divert: Update divert.4 to mention pf
pf's divert-to action can be used to pass packets to a divert socket,
but divert.4 didn't mention this, only referencing ipfw. Try to make
the text a bit more general.
Reviewed by: igoro, kp, glebius
MFC after: 2 weeks
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54848
---
share/man/man4/divert.4 | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/share/man/man4/divert.4 b/share/man/man4/divert.4
index 5732099bd447..647bb72ab49b 100644
--- a/share/man/man4/divert.4
+++ b/share/man/man4/divert.4
@@ -1,5 +1,5 @@
.\"
-.Dd August 30, 2022
+.Dd January 23, 2026
.Dt DIVERT 4
.Os
.Sh NAME
@@ -15,7 +15,6 @@
To enable support for divert sockets, place the following lines in the
kernel configuration file:
.Bd -ragged -offset indent
-.Cd "options IPFIREWALL"
.Cd "options IPDIVERT"
.Ed
.Pp
@@ -25,14 +24,15 @@ as a module at boot time, add the following lines into the
.Xr loader.conf 5
file:
.Bd -literal -offset indent
-ipfw_load="YES"
ipdivert_load="YES"
.Ed
.Sh DESCRIPTION
Divert sockets allow to intercept and re-inject packets flowing through
the
.Xr ipfw 4
-firewall.
+and
+.Xr pf 4
+firewalls.
A divert socket can be bound to a specific
.Nm
port via the
@@ -43,13 +43,15 @@ desired value.
Note that the
.Nm
port has nothing to do with TCP/UDP ports.
-It is just a cookie number, that allows to differentiate between different
-divert points in the
+It is just a cookie whose value depends on the firewall in use.
+For
.Xr ipfw 4
-ruleset.
+this is the number of the rule which diverted the packet; for
+.Xr pf 4
+this is a value which indicates the original direction through the
+firewall of the diverted packet.
A divert socket bound to a divert port will receive all packets diverted
-to that port by
-.Xr ipfw 4 .
+to that port by the firewall.
Packets may also be written to a divert port, in which case they re-enter
firewall processing at the next rule.
.Pp
@@ -67,8 +69,8 @@ Diverted packets may be read unaltered via
or
.Xr recvfrom 2 .
In the latter case, the address returned will have its port set to
-some tag supplied by the packet diverter, (usually the ipfw rule number)
-and the IP address set to the (first) address of
+some tag supplied by the packet diverter, (usually the cookie described
+above) and the IP address set to the (first) address of
the interface on which the packet was received (if the packet
was incoming) or
.Dv INADDR_ANY
@@ -179,6 +181,7 @@ that was not associated with any interface.
.Xr sendto 2 ,
.Xr socket 2 ,
.Xr ipfw 4 ,
+.Xr pf 4 ,
.Xr ipfw 8
.Sh AUTHORS
.An Archie Cobbs Aq Mt archie@FreeBSD.org ,
@@ -186,8 +189,7 @@ Whistle Communications Corp.
.Sh BUGS
This is an attempt to provide a clean way for user mode processes
to implement various IP tricks like address translation, but it
-could be cleaner, and it is too dependent on
-.Xr ipfw 8 .
+could be cleaner.
.Pp
It is questionable whether incoming fragments should be reassembled
before being diverted.