divert: Update divert.4 to mention pf
pf's divert-to action can be used to pass packets to a divert socket, but divert.4 didn't mention this, only referencing ipfw. Try to make the text a bit more general. Reviewed by: igoro, kp, glebius MFC after: 2 weeks Sponsored by: OPNsense Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D54848
This commit is contained in:
+15
-13
@@ -1,5 +1,5 @@
|
|||||||
.\"
|
.\"
|
||||||
.Dd August 30, 2022
|
.Dd January 23, 2026
|
||||||
.Dt DIVERT 4
|
.Dt DIVERT 4
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -15,7 +15,6 @@
|
|||||||
To enable support for divert sockets, place the following lines in the
|
To enable support for divert sockets, place the following lines in the
|
||||||
kernel configuration file:
|
kernel configuration file:
|
||||||
.Bd -ragged -offset indent
|
.Bd -ragged -offset indent
|
||||||
.Cd "options IPFIREWALL"
|
|
||||||
.Cd "options IPDIVERT"
|
.Cd "options IPDIVERT"
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@@ -25,14 +24,15 @@ as a module at boot time, add the following lines into the
|
|||||||
.Xr loader.conf 5
|
.Xr loader.conf 5
|
||||||
file:
|
file:
|
||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
ipfw_load="YES"
|
|
||||||
ipdivert_load="YES"
|
ipdivert_load="YES"
|
||||||
.Ed
|
.Ed
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
Divert sockets allow to intercept and re-inject packets flowing through
|
Divert sockets allow to intercept and re-inject packets flowing through
|
||||||
the
|
the
|
||||||
.Xr ipfw 4
|
.Xr ipfw 4
|
||||||
firewall.
|
and
|
||||||
|
.Xr pf 4
|
||||||
|
firewalls.
|
||||||
A divert socket can be bound to a specific
|
A divert socket can be bound to a specific
|
||||||
.Nm
|
.Nm
|
||||||
port via the
|
port via the
|
||||||
@@ -43,13 +43,15 @@ desired value.
|
|||||||
Note that the
|
Note that the
|
||||||
.Nm
|
.Nm
|
||||||
port has nothing to do with TCP/UDP ports.
|
port has nothing to do with TCP/UDP ports.
|
||||||
It is just a cookie number, that allows to differentiate between different
|
It is just a cookie whose value depends on the firewall in use.
|
||||||
divert points in the
|
For
|
||||||
.Xr ipfw 4
|
.Xr ipfw 4
|
||||||
ruleset.
|
this is the number of the rule which diverted the packet; for
|
||||||
|
.Xr pf 4
|
||||||
|
this is a value which indicates the original direction through the
|
||||||
|
firewall of the diverted packet.
|
||||||
A divert socket bound to a divert port will receive all packets diverted
|
A divert socket bound to a divert port will receive all packets diverted
|
||||||
to that port by
|
to that port by the firewall.
|
||||||
.Xr ipfw 4 .
|
|
||||||
Packets may also be written to a divert port, in which case they re-enter
|
Packets may also be written to a divert port, in which case they re-enter
|
||||||
firewall processing at the next rule.
|
firewall processing at the next rule.
|
||||||
.Pp
|
.Pp
|
||||||
@@ -67,8 +69,8 @@ Diverted packets may be read unaltered via
|
|||||||
or
|
or
|
||||||
.Xr recvfrom 2 .
|
.Xr recvfrom 2 .
|
||||||
In the latter case, the address returned will have its port set to
|
In the latter case, the address returned will have its port set to
|
||||||
some tag supplied by the packet diverter, (usually the ipfw rule number)
|
some tag supplied by the packet diverter, (usually the cookie described
|
||||||
and the IP address set to the (first) address of
|
above) and the IP address set to the (first) address of
|
||||||
the interface on which the packet was received (if the packet
|
the interface on which the packet was received (if the packet
|
||||||
was incoming) or
|
was incoming) or
|
||||||
.Dv INADDR_ANY
|
.Dv INADDR_ANY
|
||||||
@@ -179,6 +181,7 @@ that was not associated with any interface.
|
|||||||
.Xr sendto 2 ,
|
.Xr sendto 2 ,
|
||||||
.Xr socket 2 ,
|
.Xr socket 2 ,
|
||||||
.Xr ipfw 4 ,
|
.Xr ipfw 4 ,
|
||||||
|
.Xr pf 4 ,
|
||||||
.Xr ipfw 8
|
.Xr ipfw 8
|
||||||
.Sh AUTHORS
|
.Sh AUTHORS
|
||||||
.An Archie Cobbs Aq Mt archie@FreeBSD.org ,
|
.An Archie Cobbs Aq Mt archie@FreeBSD.org ,
|
||||||
@@ -186,8 +189,7 @@ Whistle Communications Corp.
|
|||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
This is an attempt to provide a clean way for user mode processes
|
This is an attempt to provide a clean way for user mode processes
|
||||||
to implement various IP tricks like address translation, but it
|
to implement various IP tricks like address translation, but it
|
||||||
could be cleaner, and it is too dependent on
|
could be cleaner.
|
||||||
.Xr ipfw 8 .
|
|
||||||
.Pp
|
.Pp
|
||||||
It is questionable whether incoming fragments should be reassembled
|
It is questionable whether incoming fragments should be reassembled
|
||||||
before being diverted.
|
before being diverted.
|
||||||
|
|||||||
Reference in New Issue
Block a user