git: c46419526269 - stable/13 - pf.conf.5: document SCTP support

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 11 Aug 2023 12:13:40 UTC
The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=c46419526269025a797a365a240b8fcd307e4281

commit c46419526269025a797a365a240b8fcd307e4281
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-06-21 08:04:07 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-08-11 12:13:10 +0000

    pf.conf.5: document SCTP support
    
    Mention SCTP in the pf.conf.5
    
    Reviewed by:    tuexen
    MFC after:      3 weeks
    Sponsored by:   Orange Business Services
    Differential Revision:  https://reviews.freebsd.org/D40870
    
    (cherry picked from commit 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e)
---
 share/man/man5/pf.conf.5 | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index cc1b902e0006..95710027bdf3 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd September 25, 2021
+.Dd June 21, 2023
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -491,6 +491,7 @@ action:
 Packet is silently dropped.
 .It Ar return
 A TCP RST is returned for blocked TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
 an ICMP UNREACHABLE is returned for blocked UDP packets,
 and all other packets are silently dropped.
 .El
@@ -515,6 +516,7 @@ actions are possible:
 Incoming packet is silently dropped.
 .It Ar return
 Incoming packet is dropped and TCP RST is returned for TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
 an ICMP UNREACHABLE is returned for UDP packets,
 and no response is sent for other packets.
 .El
@@ -1139,8 +1141,8 @@ A stateful connection is automatically created to track packets matching
 such a rule as long as they are not blocked by the filtering section of
 .Nm pf.conf .
 The translation engine modifies the specified address and/or port in the
-packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to
-the packet filter for evaluation.
+packet, recalculates IP, TCP and UDP checksums as necessary, and passes
+it to the packet filter for evaluation.
 .Pp
 Since translation occurs before filtering the filter
 engine will see packets as they look after any
@@ -1276,6 +1278,7 @@ and layer 4 (see
 .Xr icmp 4 ,
 .Xr icmp6 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 .Xr udp 4 )
 headers.
 In addition, packets may also be
@@ -1325,7 +1328,8 @@ can be overridden by specifying a message as a code or number.
 .It Ar return
 This causes a TCP RST to be returned for
 .Xr tcp 4
-packets and an ICMP UNREACHABLE for UDP and other packets.
+packets, an SCTP ABORT for SCTP
+and an ICMP UNREACHABLE for UDP and other packets.
 .El
 .Pp
 Options returning ICMP packets currently have no effect if
@@ -1515,6 +1519,7 @@ Common protocols are
 .Xr icmp 4 ,
 .Xr icmp6 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 and
 .Xr udp 4 .
 For a list of all the protocol name to number mappings used by
@@ -2717,6 +2722,14 @@ reference to an anchor name containing
 characters will require double quote
 .Pq Sq \&"
 characters around the anchor name.
+.Sh SCTP CONSIDERATIONS
+.Xr pf 4
+supports
+.Xr sctp 4
+connections.
+It can match ports, track state and NAT SCTP traffic.
+However, it will not alter port numbers during nat or rdr translations.
+Doing so would break SCTP multihoming.
 .Sh TRANSLATION EXAMPLES
 This example maps incoming requests on port 80 to port 8080, on
 which a daemon is running (because, for example, it is not run as root,
@@ -3162,6 +3175,7 @@ Service name database.
 .Xr pf 4 ,
 .Xr pfsync 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
 .Xr pf.os 5 ,