divert: Update divert.4 to mention pf

pf's divert-to action can be used to pass packets to a divert socket,
but divert.4 didn't mention this, only referencing ipfw.  Try to make
the text a bit more general.

Reviewed by:	igoro, kp, glebius
MFC after:	2 weeks
Sponsored by:	OPNsense
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D54848
This commit is contained in:
Mark Johnston
2026-01-27 13:48:22 +00:00
parent b0d9970950
commit 120c0bb833
+15 -13
View File
@@ -1,5 +1,5 @@
.\"
.Dd August 30, 2022
.Dd January 23, 2026
.Dt DIVERT 4
.Os
.Sh NAME
@@ -15,7 +15,6 @@
To enable support for divert sockets, place the following lines in the
kernel configuration file:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL"
.Cd "options IPDIVERT"
.Ed
.Pp
@@ -25,14 +24,15 @@ as a module at boot time, add the following lines into the
.Xr loader.conf 5
file:
.Bd -literal -offset indent
ipfw_load="YES"
ipdivert_load="YES"
.Ed
.Sh DESCRIPTION
Divert sockets allow to intercept and re-inject packets flowing through
the
.Xr ipfw 4
firewall.
and
.Xr pf 4
firewalls.
A divert socket can be bound to a specific
.Nm
port via the
@@ -43,13 +43,15 @@ desired value.
Note that the
.Nm
port has nothing to do with TCP/UDP ports.
It is just a cookie number, that allows to differentiate between different
divert points in the
It is just a cookie whose value depends on the firewall in use.
For
.Xr ipfw 4
ruleset.
this is the number of the rule which diverted the packet; for
.Xr pf 4
this is a value which indicates the original direction through the
firewall of the diverted packet.
A divert socket bound to a divert port will receive all packets diverted
to that port by
.Xr ipfw 4 .
to that port by the firewall.
Packets may also be written to a divert port, in which case they re-enter
firewall processing at the next rule.
.Pp
@@ -67,8 +69,8 @@ Diverted packets may be read unaltered via
or
.Xr recvfrom 2 .
In the latter case, the address returned will have its port set to
some tag supplied by the packet diverter, (usually the ipfw rule number)
and the IP address set to the (first) address of
some tag supplied by the packet diverter, (usually the cookie described
above) and the IP address set to the (first) address of
the interface on which the packet was received (if the packet
was incoming) or
.Dv INADDR_ANY
@@ -179,6 +181,7 @@ that was not associated with any interface.
.Xr sendto 2 ,
.Xr socket 2 ,
.Xr ipfw 4 ,
.Xr pf 4 ,
.Xr ipfw 8
.Sh AUTHORS
.An Archie Cobbs Aq Mt archie@FreeBSD.org ,
@@ -186,8 +189,7 @@ Whistle Communications Corp.
.Sh BUGS
This is an attempt to provide a clean way for user mode processes
to implement various IP tricks like address translation, but it
could be cleaner, and it is too dependent on
.Xr ipfw 8 .
could be cleaner.
.Pp
It is questionable whether incoming fragments should be reassembled
before being diverted.