From aed912e702a3c5f3b99085c50d1468b081ae46e8 Mon Sep 17 00:00:00 2001
From: Evgeniy Khramtsov <evgeniy@khramtsov.org>
Date: Sun, 16 Jul 2023 17:22:38 +0000
Subject: [PATCH] nfq: switch to PF_DIVERT/SOCK_RAW on FreeBSD 14

FreeBSD/FreeBSD-src@8624f4347e81 ("divert: declare PF_DIVERT
domain and stop abusing PF_INET") deprecated IPPROTO_DIVERT
by introducing address family-independent PF_DIVERT.

Use socket(PF_DIVERT, SOCK_RAW, 0) to avoid deprecated behavior,
i.e. FreeBSD/FreeBSD-src@f70a2e294854.
---
 nfq/darkmagic.c | 7 ++++++-
 nfq/nfqws.c     | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/nfq/darkmagic.c b/nfq/darkmagic.c
index dcba3a2..0d4f25a 100644
--- a/nfq/darkmagic.c
+++ b/nfq/darkmagic.c
@@ -899,7 +899,12 @@ static int rawsend_socket_divert(sa_family_t family)
 	// we either have to go to the link layer (its hard, possible problems arise, compat testing, ...) or use some HACKING
 	// from my point of view disabling direct ability to send ip frames is not security. its SHIT
 
-	int fd = socket(family, SOCK_RAW, IPPROTO_DIVERT);
+	int fd;
+#if __FreeBSD_version >= 1400066 && defined(PF_DIVERT)
+	fd = socket(PF_DIVERT, SOCK_RAW, 0);
+#else
+	fd = socket(family, SOCK_RAW, IPPROTO_DIVERT);
+#endif
 	if (fd!=-1 && !set_socket_buffers(fd,4096,RAW_SNDBUF))
 	{
 		close(fd);
diff --git a/nfq/nfqws.c b/nfq/nfqws.c
index 8623fb0..6ea63d9 100644
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@@ -347,7 +347,11 @@ static int dvt_main()
 		bp4.sin_addr.s_addr = INADDR_ANY;
 	
 		printf("creating divert4 socket\n");
+#if __FreeBSD_version >= 1400066 && defined(PF_DIVERT)
+		fd[0] = socket(PF_DIVERT, SOCK_RAW, 0);
+#else
 		fd[0] = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
+#endif
 		if (fd[0] == -1) {
 				perror("socket (DIVERT4)");
 			goto exiterr;