divert: Update divert.4 to mention pf

pf's divert-to action can be used to pass packets to a divert socket,
but divert.4 didn't mention this, only referencing ipfw.  Try to make
the text a bit more general.

Reviewed by:	igoro, kp, glebius
MFC after:	2 weeks
Sponsored by:	OPNsense
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D54848
This commit is contained in:
Mark Johnston
2026-01-27 13:48:22 +00:00
parent b0d9970950
commit 120c0bb833
+15 -13
View File
@@ -1,5 +1,5 @@
.\" .\"
.Dd August 30, 2022 .Dd January 23, 2026
.Dt DIVERT 4 .Dt DIVERT 4
.Os .Os
.Sh NAME .Sh NAME
@@ -15,7 +15,6 @@
To enable support for divert sockets, place the following lines in the To enable support for divert sockets, place the following lines in the
kernel configuration file: kernel configuration file:
.Bd -ragged -offset indent .Bd -ragged -offset indent
.Cd "options IPFIREWALL"
.Cd "options IPDIVERT" .Cd "options IPDIVERT"
.Ed .Ed
.Pp .Pp
@@ -25,14 +24,15 @@ as a module at boot time, add the following lines into the
.Xr loader.conf 5 .Xr loader.conf 5
file: file:
.Bd -literal -offset indent .Bd -literal -offset indent
ipfw_load="YES"
ipdivert_load="YES" ipdivert_load="YES"
.Ed .Ed
.Sh DESCRIPTION .Sh DESCRIPTION
Divert sockets allow to intercept and re-inject packets flowing through Divert sockets allow to intercept and re-inject packets flowing through
the the
.Xr ipfw 4 .Xr ipfw 4
firewall. and
.Xr pf 4
firewalls.
A divert socket can be bound to a specific A divert socket can be bound to a specific
.Nm .Nm
port via the port via the
@@ -43,13 +43,15 @@ desired value.
Note that the Note that the
.Nm .Nm
port has nothing to do with TCP/UDP ports. port has nothing to do with TCP/UDP ports.
It is just a cookie number, that allows to differentiate between different It is just a cookie whose value depends on the firewall in use.
divert points in the For
.Xr ipfw 4 .Xr ipfw 4
ruleset. this is the number of the rule which diverted the packet; for
.Xr pf 4
this is a value which indicates the original direction through the
firewall of the diverted packet.
A divert socket bound to a divert port will receive all packets diverted A divert socket bound to a divert port will receive all packets diverted
to that port by to that port by the firewall.
.Xr ipfw 4 .
Packets may also be written to a divert port, in which case they re-enter Packets may also be written to a divert port, in which case they re-enter
firewall processing at the next rule. firewall processing at the next rule.
.Pp .Pp
@@ -67,8 +69,8 @@ Diverted packets may be read unaltered via
or or
.Xr recvfrom 2 . .Xr recvfrom 2 .
In the latter case, the address returned will have its port set to In the latter case, the address returned will have its port set to
some tag supplied by the packet diverter, (usually the ipfw rule number) some tag supplied by the packet diverter, (usually the cookie described
and the IP address set to the (first) address of above) and the IP address set to the (first) address of
the interface on which the packet was received (if the packet the interface on which the packet was received (if the packet
was incoming) or was incoming) or
.Dv INADDR_ANY .Dv INADDR_ANY
@@ -179,6 +181,7 @@ that was not associated with any interface.
.Xr sendto 2 , .Xr sendto 2 ,
.Xr socket 2 , .Xr socket 2 ,
.Xr ipfw 4 , .Xr ipfw 4 ,
.Xr pf 4 ,
.Xr ipfw 8 .Xr ipfw 8
.Sh AUTHORS .Sh AUTHORS
.An Archie Cobbs Aq Mt archie@FreeBSD.org , .An Archie Cobbs Aq Mt archie@FreeBSD.org ,
@@ -186,8 +189,7 @@ Whistle Communications Corp.
.Sh BUGS .Sh BUGS
This is an attempt to provide a clean way for user mode processes This is an attempt to provide a clean way for user mode processes
to implement various IP tricks like address translation, but it to implement various IP tricks like address translation, but it
could be cleaner, and it is too dependent on could be cleaner.
.Xr ipfw 8 .
.Pp .Pp
It is questionable whether incoming fragments should be reassembled It is questionable whether incoming fragments should be reassembled
before being diverted. before being diverted.