This diff documents my recent checksum recalculation changes for divert(4):
http://marc.info/?l=openbsd-cvs&m=136543514928571&w=2 I have also made the text more specific to clarify that divert sockets are only applicable to PF rules with the divert-packet parameter, with an explicit note that it does not relate to divert-to. Comments? OK? Index: divert.4 =================================================================== RCS file: /cvs/src/share/man/man4/divert.4,v retrieving revision 1.11 diff -u -p -r1.11 divert.4 --- divert.4 24 Oct 2012 22:57:41 -0000 1.11 +++ divert.4 18 Apr 2013 14:22:41 -0000 @@ -43,10 +43,18 @@ and .Xr udp 4 . When .Xr pf 4 -processes a packet that matches a divert rule (see +processes a packet that matches a rule with the +.Ar divert-packet +parameter +(see .Xr pf.conf 5 for details) it is immediately sent to the divert socket listening on the -port specified in the rule. +divert port specified in the rule. +Note that +.Ar divert-packet +should not be confused with +.Ar divert-to , +which does not use divert sockets. .Xr pf 4 reassembles TCP streams by default (if IP reassembly is not disabled) before sending them to the divert sockets. @@ -63,8 +71,12 @@ kernel. After being reinjected, inbound and outbound packets are treated differently. Inbound packets are added to the relevant input queue and a soft interrupt is scheduled to signal that a new packet is ready to be processed; outbound ones -are processed directly by the relevant IP/IPv6 output function. -The packets' checksums are recalculated upon reinjection. +are processed directly by the relevant IPv4/IPv6 output function. +Since the userspace application could have modified the packets, upon +reinjection basic sanity checks are done to ensure that the packets are still +valid. +The packets' IPv4 and protocol checksums (TCP, UDP, ICMP, and ICMPv6) are also +recalculated. .Pp Writing to a divert socket can be achieved using .Xr sendto 2
