To enable divert sockets, a kernel must be compiled with
.Cd "options IPDIVERT" or the ipdivert.ko module can be loaded at run-time:
If a packet is diverted but no socket is bound to the port, or if IPDIVERT is not enabled or loaded in the kernel, the packet is dropped.
Incoming packet fragments which get diverted are fully reassembled before delivery; the diversion of any one fragment causes the entire packet to get diverted. If different fragments divert to different ports, then which port ultimately gets chosen is unpredictable.
Note that packets arriving on the divert socket by the ipfw(8) tee action are delivered as-is and packet fragments do not get reassembled in this case.
Packets are received and sent unchanged, except that packets read as outgoing have invalid IP header checksums, and packets written as outgoing have their IP header checksums overwritten with the correct value. Packets written as incoming and having incorrect checksums will be dropped. Otherwise, all header fields are unchanged (and therefore in network order).
Binding to port numbers less than 1024 requires super-user access, as does creating a socket of type SOCK_RAW.
Writing to a divert socket can return these errors, along with the usual errors possible when writing raw packets: