divert-packet extensions The interface is currently fairly basic and only allows to either read or write packets. Socket control messages (CMSG) could be used to extend it further: Optionally attach the 64bit PF state id for messages to userland. Control messages from userland with the attached state id: Empty packet payload but message to "block return" the state. Attach the original state id for reinjected packets. Additional extensions might exist in other implementations. FreeBSD's divert(4) was written for IPFW (yes, it still exists)