diff options
author | Lawrence Teo <lteo@cvs.openbsd.org> | 2013-06-01 18:41:44 +0000 |
---|---|---|
committer | Lawrence Teo <lteo@cvs.openbsd.org> | 2013-06-01 18:41:44 +0000 |
commit | ad4de5b1c76896379d6cab9b55686c2e66215131 (patch) | |
tree | b068742653446fb6b73491c5e6a65e4a4c24fab1 /share/man/man4 | |
parent | 204316bee57f022dea637a9d94567f3c852d1131 (diff) |
Document my divert(4) changes done in April 2013, where reinjected
packets will now go through basic sanity checks and will have their
IPv4 and protocol checksums (TCP, UDP, ICMP, and ICMPv6) recalculated.
Also clarify that divert(4) relates to the PF divert-packet parameter,
not divert-to (prodded by beck@, also suggested by benno@ and reyk@).
ok benno jmc
Diffstat (limited to 'share/man/man4')
-rw-r--r-- | share/man/man4/divert.4 | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/share/man/man4/divert.4 b/share/man/man4/divert.4 index 91ca105eab7..e7eeac6726a 100644 --- a/share/man/man4/divert.4 +++ b/share/man/man4/divert.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: divert.4,v 1.11 2012/10/24 22:57:41 jmc Exp $ +.\" $OpenBSD: divert.4,v 1.12 2013/06/01 18:41:43 lteo Exp $ .\" .\" Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 24 2012 $ +.Dd $Mdocdate: June 1 2013 $ .Dt DIVERT 4 .Os .Sh NAME @@ -43,10 +43,18 @@ and .Xr udp 4 . When .Xr pf 4 -processes a packet that matches a divert rule (see +processes a packet that matches a rule with the +.Ar divert-packet +parameter +(see .Xr pf.conf 5 for details) it is immediately sent to the divert socket listening on the -port specified in the rule. +divert port specified in the rule. +Note that +.Ar divert-packet +should not be confused with +.Ar divert-to , +which does not use divert sockets. .Xr pf 4 reassembles TCP streams by default (if IP reassembly is not disabled) before sending them to the divert sockets. @@ -63,8 +71,12 @@ kernel. After being reinjected, inbound and outbound packets are treated differently. Inbound packets are added to the relevant input queue and a soft interrupt is scheduled to signal that a new packet is ready to be processed; outbound ones -are processed directly by the relevant IP/IPv6 output function. -The packets' checksums are recalculated upon reinjection. +are processed directly by the relevant IPv4/IPv6 output function. +Since the userspace application could have modified the packets, upon +reinjection basic sanity checks are done to ensure that the packets are still +valid. +The packets' IPv4 and protocol checksums (TCP, UDP, ICMP, and ICMPv6) are also +recalculated. .Pp Writing to a divert socket can be achieved using .Xr sendto 2 |