Index: sys/dev/iscsi/iscsi.c
===================================================================
--- sys/dev/iscsi/iscsi.c	(revision 263014)
+++ sys/dev/iscsi/iscsi.c	(working copy)
@@ -1585,6 +1585,33 @@ iscsi_sanitize_session_conf(struct iscsi_session_c
 	isc->isc_mutual_secret[ISCSI_SECRET_LEN - 1] = '\0';
 }
 
+static bool
+iscsi_valid_session_conf(const struct iscsi_session_conf *isc)
+{
+
+	if (isc->isc_initiator[0] == '\0') {
+		ISCSI_DEBUG("empty isc_initiator");
+		return (false);
+	}
+
+	if (isc->isc_target_addr[0] == '\0') {
+		ISCSI_DEBUG("empty isc_target_addr");
+		return (false);
+	}
+
+	if (isc->isc_discovery != 0 && isc->isc_target[0] != 0) {
+		ISCSI_DEBUG("non-empty isc_target for discovery session");
+		return (false);
+	}
+
+	if (isc->isc_discovery == 0 && isc->isc_target[0] == 0) {
+		ISCSI_DEBUG("empty isc_target for non-discovery session");
+		return (false);
+	}
+
+	return (true);
+}
+
 static int
 iscsi_ioctl_session_add(struct iscsi_softc *sc, struct iscsi_session_add *isa)
 {
@@ -1593,22 +1620,12 @@ iscsi_ioctl_session_add(struct iscsi_softc *sc, st
 	int error;
 
 	iscsi_sanitize_session_conf(&isa->isa_conf);
+	if (iscsi_valid_session_conf(&isa->isa_conf) == false)
+		return (EINVAL);
 
 	is = malloc(sizeof(*is), M_ISCSI, M_ZERO | M_WAITOK);
 	memcpy(&is->is_conf, &isa->isa_conf, sizeof(is->is_conf));
 
-	if (is->is_conf.isc_initiator[0] == '\0' ||
-	    is->is_conf.isc_target_addr[0] == '\0') {
-		free(is, M_ISCSI);
-		return (EINVAL);
-	}
-
-	if ((is->is_conf.isc_discovery != 0 && is->is_conf.isc_target[0] != 0) ||
-	    (is->is_conf.isc_discovery == 0 && is->is_conf.isc_target[0] == 0)) {
-		free(is, M_ISCSI);
-		return (EINVAL);
-	}
-
 	sx_xlock(&sc->sc_lock);
 
 	/*
@@ -1763,8 +1780,39 @@ iscsi_ioctl_session_list(struct iscsi_softc *sc, s
 
 	return (0);
 }
-	
+
 static int
+iscsi_ioctl_session_modify(struct iscsi_softc *sc,
+    struct iscsi_session_modify *ism)
+{
+	struct iscsi_session *is;
+
+	iscsi_sanitize_session_conf(&ism->ism_conf);
+	if (iscsi_valid_session_conf(&ism->ism_conf) == false)
+		return (EINVAL);
+
+	sx_xlock(&sc->sc_lock);
+	TAILQ_FOREACH(is, &sc->sc_sessions, is_next) {
+		ISCSI_SESSION_LOCK(is);
+		if (is->is_id == ism->ism_session_id)
+			break;
+		ISCSI_SESSION_UNLOCK(is);
+	}
+	if (is == NULL) {
+		sx_xunlock(&sc->sc_lock);
+		return (ESRCH);
+	}
+	sx_xunlock(&sc->sc_lock);
+
+	memcpy(&is->is_conf, &ism->ism_conf, sizeof(is->is_conf));
+	ISCSI_SESSION_UNLOCK(is);
+
+	iscsi_session_reconnect(is);
+
+	return (0);
+}
+
+static int
 iscsi_ioctl(struct cdev *dev, u_long cmd, caddr_t arg, int mode,
     struct thread *td)
 {
@@ -1805,6 +1853,9 @@ iscsi_ioctl(struct cdev *dev, u_long cmd, caddr_t
 	case ISCSISLIST:
 		return (iscsi_ioctl_session_list(sc,
 		    (struct iscsi_session_list *)arg));
+	case ISCSISMODIFY:
+		return (iscsi_ioctl_session_modify(sc,
+		    (struct iscsi_session_modify *)arg));
 	default:
 		return (EINVAL);
 	}
Index: sys/dev/iscsi/iscsi_ioctl.h
===================================================================
--- sys/dev/iscsi/iscsi_ioctl.h	(revision 263014)
+++ sys/dev/iscsi/iscsi_ioctl.h	(working copy)
@@ -208,8 +208,15 @@ struct iscsi_session_list {
 	int				isl_spare[4];
 };
 
+struct iscsi_session_modify {
+	unsigned int			ism_session_id;
+	struct iscsi_session_conf	ism_conf;
+	int				ism_spare[4];
+};
+
 #define	ISCSISADD	_IOW('I', 0x11, struct iscsi_session_add)
 #define	ISCSISREMOVE	_IOW('I', 0x12, struct iscsi_session_remove)
 #define	ISCSISLIST	_IOWR('I', 0x13, struct iscsi_session_list)
+#define	ISCSISMODIFY	_IOWR('I', 0x14, struct iscsi_session_modify)
 
 #endif /* !ISCSI_IOCTL_H */
Index: usr.sbin/iscsid/iscsid.c
===================================================================
--- usr.sbin/iscsid/iscsid.c	(revision 263014)
+++ usr.sbin/iscsid/iscsid.c	(working copy)
@@ -306,10 +306,10 @@ capsicate(struct connection *conn)
 	cap_rights_t rights;
 #ifdef ICL_KERNEL_PROXY
 	const unsigned long cmds[] = { ISCSIDCONNECT, ISCSIDSEND, ISCSIDRECEIVE,
-	    ISCSIDHANDOFF, ISCSIDFAIL, ISCSISADD, ISCSISREMOVE };
+	    ISCSIDHANDOFF, ISCSIDFAIL, ISCSISADD, ISCSISREMOVE, ISCSISMODIFY };
 #else
 	const unsigned long cmds[] = { ISCSIDHANDOFF, ISCSIDFAIL, ISCSISADD,
-	    ISCSISREMOVE };
+	    ISCSISREMOVE, ISCSISMODIFY };
 #endif
 
 	cap_rights_init(&rights, CAP_IOCTL);
Index: usr.sbin/iscsid/login.c
===================================================================
--- usr.sbin/iscsid/login.c	(revision 263014)
+++ usr.sbin/iscsid/login.c	(working copy)
@@ -30,6 +30,7 @@
  */
 
 #include <sys/types.h>
+#include <sys/ioctl.h>
 #include <assert.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -159,11 +160,12 @@ login_target_error_str(int class, int detail)
 }
 
 static struct pdu *
-login_receive(struct connection *conn, bool initial)
+login_receive(struct connection *conn, bool redirection_ok)
 {
 	struct pdu *response;
 	struct iscsi_bhs_login_response *bhslr;
 	const char *errorstr;
+	static bool initial = true;
 
 	response = pdu_new(conn);
 	pdu_receive(response);
@@ -186,8 +188,12 @@ static struct pdu *
 	if (bhslr->bhslr_status_class != 0) {
 		errorstr = login_target_error_str(bhslr->bhslr_status_class,
 		    bhslr->bhslr_status_detail);
-		fail(conn, errorstr);
-		log_errx(1, "target returned error: %s", errorstr);
+		if (bhslr->bhslr_status_class == 1 && redirection_ok) {
+			log_debugx("redirection received: %s", errorstr);
+		} else {
+			fail(conn, errorstr);
+			log_errx(1, "target returned error: %s", errorstr);
+		}
 	}
 	if (initial == false &&
 	    ntohl(bhslr->bhslr_statsn) != conn->conn_statsn + 1) {
@@ -201,6 +207,8 @@ static struct pdu *
 	}
 	conn->conn_statsn = ntohl(bhslr->bhslr_statsn);
 
+	initial = false;
+
 	return (response);
 }
 
@@ -390,6 +398,63 @@ login_compute_md5(const char id, const char *secre
 }
 
 static void
+kernel_modify(const struct connection *conn, const char *target_address)
+{
+	struct iscsi_session_modify ism;
+	int error;
+
+	memset(&ism, 0, sizeof(ism));
+	ism.ism_session_id = conn->conn_session_id;
+	memcpy(&ism.ism_conf, &conn->conn_conf, sizeof(ism.ism_conf));
+	strlcpy(ism.ism_conf.isc_target_addr, target_address,
+	    sizeof(ism.ism_conf.isc_target));
+	error = ioctl(conn->conn_iscsi_fd, ISCSISMODIFY, &ism);
+	if (error != 0) {
+		log_err(1, "failed to redirect to %s: ISCSISMODIFY",
+		    target_address);
+	}
+}
+
+/*
+ * XXX:	The way it works is suboptimal; what should happen is described
+ *	in draft-gilligan-iscsi-fault-tolerance-00.  That, however, would
+ *	be much more complicated: we would need to keep "dependencies"
+ *	for sessions, so that, in case described in draft and using draft
+ *	terminology, we would have three sessions: one for discovery,
+ *	one for initial target portal, and one for redirect portal.  
+ *	This would allow us to "backtrack" on connection failure,
+ *	as described in draft.
+ */
+static bool
+login_handle_redirection(struct connection *conn, struct pdu *response)
+{
+	struct iscsi_bhs_login_response *bhslr;
+	struct keys *response_keys;
+	const char *target_address;
+
+	bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs;
+	if (bhslr->bhslr_status_class != 1)
+		return (false);
+
+	response_keys = keys_new();
+	keys_load(response_keys, response);
+
+	target_address = keys_find(response_keys, "TargetAddress");
+	if (target_address == NULL)
+		log_errx(1, "received redirection without TargetAddress");
+	if (target_address[0] == '\0')
+		log_errx(1, "received redirection with empty TargetAddress");
+	if (strlen(target_address) >=
+	    sizeof(conn->conn_conf.isc_target_addr) - 1)
+		log_errx(1, "received TargetAddress is too long");
+
+	log_debugx("received redirection to \"%s\"", target_address);
+	kernel_modify(conn, target_address);
+
+	return (true);
+}
+
+static void
 login_negotiate_key(struct connection *conn, const char *name,
     const char *value)
 {
@@ -538,7 +603,11 @@ login_negotiate(struct connection *conn)
 	pdu_delete(request);
 	request = NULL;
 
-	response = login_receive(conn, false);
+	response = login_receive(conn, true);
+	if (login_handle_redirection(conn, response)) {
+		log_debugx("redirection handled; exiting");
+		exit(0);
+	}
 	response_keys = keys_new();
 	keys_load(response_keys, response);
 	for (i = 0; i < KEYS_MAX; i++) {
@@ -824,7 +893,7 @@ login(struct connection *conn)
 	pdu_send(request);
 	pdu_delete(request);
 
-	response = login_receive(conn, true);
+	response = login_receive(conn, false);
 
 	response_keys = keys_new();
 	keys_load(response_keys, response);