diff options
Diffstat (limited to 'share/man')
| -rw-r--r-- | share/man/man4/Makefile | 4 | ||||
| -rw-r--r-- | share/man/man4/divert.4 | 80 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 15 |
3 files changed, 95 insertions, 4 deletions
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 0ccde289aba..589db098346 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.492 2009/10/03 20:14:34 kettenis Exp $ +# $OpenBSD: Makefile,v 1.493 2009/10/04 16:08:37 michele Exp $ MAN= aac.4 ac97.4 acphy.4 \ acpi.4 acpiac.4 acpiasus.4 acpibat.4 acpibtn.4 acpicpu.4 acpidock.4 \ @@ -15,7 +15,7 @@ MAN= aac.4 ac97.4 acphy.4 \ boca.4 bpf.4 brgphy.4 bridge.4 btkbd.4 btms.4 btsco.4 bwi.4 \ cac.4 cas.4 cardbus.4 carp.4 ccd.4 cd.4 cdce.4 cdcef.4 che.4 cfxga.4 \ ch.4 ciphy.4 ciss.4 clcs.4 clct.4 cmpci.4 cnw.4 \ - com.4 crypto.4 cue.4 cy.4 cz.4 dc.4 dcphy.4 ddb.4 de.4 dpt.4 \ + com.4 crypto.4 cue.4 cy.4 cz.4 dc.4 dcphy.4 ddb.4 de.4 divert.4 dpt.4 \ drm.4 eap.4 ec.4 eephy.4 ef.4 eg.4 ehci.4 eisa.4 el.4 em.4 \ emu.4 enc.4 endrun.4 envy.4 ep.4 epic.4 esa.4 \ eso.4 ess.4 et.4 etphy.4 ex.4 exphy.4 \ diff --git a/share/man/man4/divert.4 b/share/man/man4/divert.4 new file mode 100644 index 00000000000..df96bbac1b9 --- /dev/null +++ b/share/man/man4/divert.4 @@ -0,0 +1,80 @@ +.\" $OpenBSD: divert.4,v 1.3 2009/10/04 16:08:37 michele Exp $ +.\" +.\" Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" + +.Dd $Mdocdate: October 4 2009 $ +.Dt DIVERT 4 +.Os +.Sh NAME +.Nm divert +.Nd Kernel packet diversion mechanism +.Sh SYNOPSIS +.Fd #include <sys/types.h> +.Fd #include <sys/socket.h> +.Fd #include <netinet/in.h> +.Ft int +.Fn socket AF_INET SOCK_RAW IPPROTO_DIVERT +.Sh DESCRIPTION +Divert sockets can be bound through +.Xr bind 2 +to a divert port and they will receive every packet +diverted to that port by +.Xr pf 4 . +Divert ports have their own number space, completely +separated from +.Xr tcp 4 +and +.Xr udp 4 +ones. +Consult +.Xr pf.conf 5 +for the correct syntax. +Packets can also be reinjected into the divert socket, in which case they +re-enter kernel packet processing skipping +.Xr pf 4 +filters, avoiding loops. +.Pp +Diverted packets can be read via +.Xr read 2 , +.Xr recv 2 , +or +.Xr recvfrom 2 +from the divert socket. +.Xr pf 4 +will reassemble the IP packets by default before sending them to the divert +socket. +In addition, TCP reassembling is enabled for packet divert rules, see +.Xr pf.conf 5 +for details. +Writing to a divert socket can be achieved using +.Xr sendto 2 +and it will skip +.Xr pf 4 +filters to avoid loops. +.Pp +If +.Xr pf 4 +diverts packets but there are no divert sockets listening, +the packets are dropped. +.Sh SEE ALSO +.Xr socket 2 , +.Xr ip 4 , +.Xr pf.conf 5 , +.Sh HISTORY +The +.Nm +protocol first appeared in +.Ox 4.7. diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 8c51829f3ca..51c97d61fe7 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.459 2009/09/25 14:08:04 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.460 2009/10/04 16:08:37 michele Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 25 2009 $ +.Dd $Mdocdate: October 4 2009 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -436,6 +436,17 @@ The implicit rule that is used when a packet does not match any rules does not allow IP options. .Pp +.It Ar divert-packet Aq Ar port +Used to send matching packets to +.Xr divert 4 +sockets bound to port +.Ar port . +If the default option of fragment reassembly is enabled, scrubbing with +.Ar reassemble tcp +is also enabled for +.Ar divert-packet +rules. +.Pp .It Ar divert-reply Used to receive replies for sockets that are bound to addresses which are not local to the machine. |