Implement pf divert-reply for raw sockets. Note that an empty

divert->addr means that the rule has a divert-reply option.  With
divert-to the divert->addr is always set.  The divert-reply rules
should compare the original packet with the socket addresses.  So
skip the step that compares the inp->inp_laddr with the empty
divert->addr.
OK mikeb@

1 files changed, 4 insertions, 1 deletions

diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index d5c7de72c70..c3912e764f9 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip6.c,v 1.78 2015/07/28 11:44:51 bluhm Exp $	*/
+/*	$OpenBSD: raw_ip6.c,v 1.79 2015/07/28 12:22:07 bluhm Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $	*/
 
 /*
@@ -162,10 +162,13 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
 			/* XXX rdomain support */
 			if ((divert = pf_find_divert(m)) == NULL)
 				continue;
+			if (IN6_IS_ADDR_UNSPECIFIED(&divert->addr.v6))
+				goto divert_reply;
 			if (!IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6,
 			    &divert->addr.v6))
 				continue;
 		} else
+ divert_reply:
 #endif
 		if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->inp_laddr6) &&
 		    !IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6, &ip6->ip6_dst))