Make divert lookup similar for all socket types. If PF_TAG_DIVERTED

is set, pf_find_divert() cannot fail so put an assert there.
Explicitly check all possible divert types, panic in the default
case.  For raw sockets call pf_find_divert() before of the socket
loop.  Divert reply should not match on TCP or UDP listen sockets.
OK sashan@ visa@

1 files changed, 7 insertions, 7 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 1112bce418d..d52fd579650 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.353 2017/12/01 10:33:33 bluhm Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.354 2017/12/04 13:40:34 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -3454,9 +3454,6 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
 	struct tcpcb *tp = NULL;
 	struct mbuf *am;
 	struct socket *oso;
-#if NPF > 0
-	struct pf_divert *divert = NULL;
-#endif
 
 	NET_ASSERT_LOCKED();
 
@@ -3517,10 +3514,13 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
 	}
 
 #if NPF > 0
-	if (m && m->m_pkthdr.pf.flags & PF_TAG_DIVERTED &&
-	    (divert = pf_find_divert(m)) != NULL)
+	if (m && m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) {
+		struct pf_divert *divert;
+
+		divert = pf_find_divert(m);
+		KASSERT(divert != NULL);
 		inp->inp_rtableid = divert->rdomain;
-	else
+	} else
 #endif
 	/* inherit rtable from listening socket */
 	inp->inp_rtableid = sc->sc_rtableid;