7 files changed, 51 insertions, 38 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8b95b5dd6b0..06615c985ce 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.667 2017/11/27 23:21:50 bluhm Exp $	*/
+/*	$OpenBSD: parse.y,v 1.668 2017/11/28 16:05:46 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -4084,7 +4084,7 @@ rule_consistent(struct pf_rule *r, int anchor_call)
 	/* Basic rule sanity check. */
 	switch (r->action) {
 	case PF_MATCH:
-		if (r->divert.port) {
+		if (r->divert.type != PF_DIVERT_NONE) {
 			yyerror("divert is not supported on match rules");
 			problems++;
 		}
@@ -4445,16 +4445,18 @@ expand_divertspec(struct pf_rule *r, struct divertspec *ds)
 			r->divert.addr = ds->addr->addr.v.a.addr;
 		}
 		r->divert.port = ds->port;
+		r->divert.type = ds->type;
 		return (0);
 	case PF_DIVERT_REPLY:
 		if (r->direction == PF_IN) {
 			yyerror("divert-reply used with incoming rule");
 			return (1);
 		}
-		r->divert.port = 1;  /* some random value */
+		r->divert.type = ds->type;
 		return (0);
 	case PF_DIVERT_PACKET:
-		r->divert_packet.port = ds->port;
+		r->divert.port = ds->port;
+		r->divert.type = ds->type;
 		return (0);
 	}
 	return (1);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 5963b6bdffd..f0e43882790 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.317 2017/11/13 11:30:11 henning Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.318 2017/11/28 16:05:47 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1077,24 +1077,31 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts)
 	}
 	if (r->rtableid != -1)
 		printf(" rtable %u", r->rtableid);
-	if (r->divert.port) {
-		if (PF_AZERO(&r->divert.addr, AF_INET6)) {
-			printf(" divert-reply");
-		} else {
-			/* XXX cut&paste from print_addr */
-			char buf[48];
+	switch (r->divert.type) {
+	case PF_DIVERT_NONE:
+		break;
+	case PF_DIVERT_TO: {
+		/* XXX cut&paste from print_addr */
+		char buf[48];
 
-			printf(" divert-to ");
-			if (inet_ntop(r->af, &r->divert.addr, buf,
-			    sizeof(buf)) == NULL)
-				printf("?");
-			else
-				printf("%s", buf);
-			printf(" port %u", ntohs(r->divert.port));
-		}
+		printf(" divert-to ");
+		if (inet_ntop(r->af, &r->divert.addr, buf, sizeof(buf)) == NULL)
+			printf("?");
+		else
+			printf("%s", buf);
+		printf(" port %u", ntohs(r->divert.port));
+		break;
+	}
+	case PF_DIVERT_REPLY:
+		printf(" divert-reply");
+		break;
+	case PF_DIVERT_PACKET:
+		printf(" divert-packet port %u", ntohs(r->divert.port));
+		break;
+	default:
+		printf(" divert ???");
+		break;
 	}
-	if (r->divert_packet.port)
-		printf(" divert-packet port %u", ntohs(r->divert_packet.port));
 
 	if (!anchor_call[0] && r->nat.addr.type != PF_ADDR_NONE &&
 	    r->rule_flag & PFRULE_AFTO) {
diff --git a/sys/net/pf.c b/sys/net/pf.c
index ebedf217cce..01e60badeaa 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1047 2017/11/22 12:28:49 bluhm Exp $ */
+/*	$OpenBSD: pf.c,v 1.1048 2017/11/28 16:05:46 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1380,7 +1380,8 @@ pf_remove_divert_state(struct pf_state_key *sk)
 
 	TAILQ_FOREACH(si, &sk->states, entry) {
 		if (sk == si->s->key[PF_SK_STACK] && si->s->rule.ptr &&
-		    si->s->rule.ptr->divert.port) {
+		    (si->s->rule.ptr->divert.type == PF_DIVERT_TO ||
+		    si->s->rule.ptr->divert.type == PF_DIVERT_REPLY)) {
 			pf_remove_state(si->s);
 			break;
 		}
@@ -6981,18 +6982,21 @@ done:
 	if (pd.destchg && pd.dir == PF_OUT)
 		pd.m->m_pkthdr.pf.flags |= PF_TAG_REROUTE;
 
-	if (pd.dir == PF_IN && action == PF_PASS && r->divert.port) {
+	if (pd.dir == PF_IN && action == PF_PASS &&
+	    (r->divert.type == PF_DIVERT_TO ||
+	    r->divert.type == PF_DIVERT_REPLY)) {
 		struct pf_divert *divert;
 
 		if ((divert = pf_get_divert(pd.m))) {
 			pd.m->m_pkthdr.pf.flags |= PF_TAG_DIVERTED;
+			divert->addr = r->divert.addr;
 			divert->port = r->divert.port;
 			divert->rdomain = pd.rdomain;
-			divert->addr = r->divert.addr;
+			divert->type = r->divert.type;
 		}
 	}
 
-	if (action == PF_PASS && r->divert_packet.port)
+	if (action == PF_PASS && r->divert.type == PF_DIVERT_PACKET)
 		action = PF_DIVERT;
 
 #if NPFLOG > 0
@@ -7023,13 +7027,12 @@ done:
 	case PF_DIVERT:
 		switch (pd.af) {
 		case AF_INET:
-			if (!divert_packet(pd.m, pd.dir, r->divert_packet.port))
+			if (!divert_packet(pd.m, pd.dir, r->divert.port))
 				pd.m = NULL;
 			break;
 #ifdef INET6
 		case AF_INET6:
-			if (!divert6_packet(pd.m, pd.dir,
-			    r->divert_packet.port))
+			if (!divert6_packet(pd.m, pd.dir, r->divert.port))
 				pd.m = NULL;
 			break;
 #endif /* INET6 */
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index e392d5364e7..ece193752a8 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.325 2017/11/13 11:30:11 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.326 2017/11/28 16:05:46 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2796,8 +2796,7 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
 	to->flush = from->flush;
 	to->divert.addr = from->divert.addr;
 	to->divert.port = from->divert.port;
-	to->divert_packet.addr = from->divert_packet.addr;
-	to->divert_packet.port = from->divert_packet.port;
+	to->divert.type = from->divert.type;
 	to->prio = from->prio;
 	to->set_prio[0] = from->set_prio[0];
 	to->set_prio[1] = from->set_prio[1];
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index ae849b4d594..27dcefbe47b 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.468 2017/11/27 23:21:50 bluhm Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.469 2017/11/28 16:05:46 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -590,7 +590,8 @@ struct pf_rule {
 	struct {
 		struct pf_addr		addr;
 		u_int16_t		port;
-	}			divert, divert_packet;
+		u_int8_t		type;
+	}			divert;
 
 	SLIST_ENTRY(pf_rule)	 gcle;
 	struct pf_ruleset	*ruleset;
@@ -1394,6 +1395,7 @@ struct pf_divert {
 	struct pf_addr	addr;
 	u_int16_t	port;
 	u_int16_t	rdomain;
+	u_int8_t	type;
 };
 
 enum pf_divert_types {
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index d969c5ee66c..85986a64900 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip.c,v 1.106 2017/11/20 10:35:24 mpi Exp $	*/
+/*	$OpenBSD: raw_ip.c,v 1.107 2017/11/28 16:05:46 bluhm Exp $	*/
 /*	$NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $	*/
 
 /*
@@ -149,7 +149,7 @@ rip_input(struct mbuf **mp, int *offp, int proto, int af)
 			/* XXX rdomain support */
 			if ((divert = pf_find_divert(m)) == NULL)
 				continue;
-			if (!divert->addr.v4.s_addr)
+			if (divert->type == PF_DIVERT_REPLY)
 				goto divert_reply;
 			if (inp->inp_laddr.s_addr != divert->addr.v4.s_addr)
 				continue;
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 0c0bd3b6cd9..17987db85ad 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip6.c,v 1.123 2017/11/20 10:35:24 mpi Exp $	*/
+/*	$OpenBSD: raw_ip6.c,v 1.124 2017/11/28 16:05:46 bluhm Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $	*/
 
 /*
@@ -152,7 +152,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto, int af)
 			/* XXX rdomain support */
 			if ((divert = pf_find_divert(m)) == NULL)
 				continue;
-			if (IN6_IS_ADDR_UNSPECIFIED(&divert->addr.v6))
+			if (divert->type == PF_DIVERT_REPLY)
 				goto divert_reply;
 			if (!IN6_ARE_ADDR_EQUAL(&in6p->inp_laddr6,
 			    &divert->addr.v6))