diverted packet must re-enter _after_ the matching rule,

or we create loops.
The divert cookie (that can be set from userland too)
contains the matching rule nr, so we must start from nr+1.

Reported by: Joe Marcus Clarke

sys/netinet/ipfw/ip_fw2.c

@@ -1173,7 +1173,7 @@ do {								\
 				IPFW_RUNLOCK(chain);
 				return (IP_FW_DENY); /* invalid */
 			}
-			f_pos = ipfw_find_rule(chain, skipto, 0);
+			f_pos = ipfw_find_rule(chain, skipto+1, 0);
 		}
 	}
 	/* reset divert rule to avoid confusion later */