On 2021-11-11, Edward Crawler <edwardcraw...@outlook.com> wrote: > Hi Misc, > > I'm writing a transparent https proxy for tls inspection. This proxy works > fine when I use "rdr-to" in pf. > However, when I try use "divert-to", it's not working.. > > What's the actual difference between the rdr-to and divert-to? What could be > the problem? >
rdr-to rewrites the address on the packets so in order to retrieve the original addresses you need write access to /dev/pf so you can use the DIOCNATLOOK ioctl. divert-to does not rewrite them so in that case you use (unprivileged) getsockname. -- Please keep replies on the mailing list.
