nfq: switch to PF_DIVERT/SOCK_RAW on FreeBSD 14

FreeBSD/FreeBSD-src@8624f4347e ("divert: declare PF_DIVERT domain and stop abusing PF_INET") deprecated IPPROTO_DIVERT by introducing address family-independent PF_DIVERT. Use socket(PF_DIVERT, SOCK_RAW, 0) to avoid deprecated behavior, i.e. FreeBSD/FreeBSD-src@f70a2e2948.
2025-04-20 22:12:58 +03:00 · 2023-07-16 17:22:38 +00:00 · 2023-07-16 17:22:38 +00:00 · aed912e702
commit aed912e702
parent d5b104d781
2 changed files with 10 additions and 1 deletions
--- a/nfq/darkmagic.c
+++ b/nfq/darkmagic.c
@ -899,7 +899,12 @@ static int rawsend_socket_divert(sa_family_t family)
 	// we either have to go to the link layer (its hard, possible problems arise, compat testing, ...) or use some HACKING
 	// from my point of view disabling direct ability to send ip frames is not security. its SHIT

-	int fd = socket(family, SOCK_RAW, IPPROTO_DIVERT);
+	int fd;
+#if __FreeBSD_version >= 1400066 && defined(PF_DIVERT)
+	fd = socket(PF_DIVERT, SOCK_RAW, 0);
+#else
+	fd = socket(family, SOCK_RAW, IPPROTO_DIVERT);
+#endif
 	if (fd!=-1 && !set_socket_buffers(fd,4096,RAW_SNDBUF))
 	{
 		close(fd);
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -347,7 +347,11 @@ static int dvt_main()
 		bp4.sin_addr.s_addr = INADDR_ANY;
 	
 		printf("creating divert4 socket\n");
+#if __FreeBSD_version >= 1400066 && defined(PF_DIVERT)
+		fd[0] = socket(PF_DIVERT, SOCK_RAW, 0);
+#else
 		fd[0] = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
+#endif
 		if (fd[0] == -1) {
 				perror("socket (DIVERT4)");
 			goto exiterr;