I suspect I will be fine once I apply the referenced patch, without it there is no divert for PF to route to. I am a bit surprised it is not enabled by default and there is not a straightforward way to enable it aside from patching the kernel given that divert is regularly mentioned in the OpenBSD documentation.
On Tue, Feb 3, 2026 at 7:21 AM Stuart Henderson <[email protected]> wrote: > On 2026/02/03 07:02, William B. wrote: > > > > Thanks for the referenced patch. I will give it a go. > > That will list divert sockets in "netstat -an -p divert" output but > won't help with your suricata and/or PF config. > > Are your "divert-packet" PF rules actually getting hit? Check your > packets / bytes / state creations counters in "pfctl -sr -v | grep > -A2 divert-packet". >
