git: 47d0c1fe7d32 - main - pf.conf.5: document SCTP support
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 21 Jul 2023 10:32:46 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e
commit 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-06-21 08:04:07 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-07-21 10:32:19 +0000
pf.conf.5: document SCTP support
Mention SCTP in the pf.conf.5
Reviewed by: tuexen
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40870
---
share/man/man5/pf.conf.5 | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 8292812f7817..2f071d3d94e8 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -28,7 +28,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd April 26, 2023
+.Dd June 21, 2023
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -493,6 +493,7 @@ action:
Packet is silently dropped.
.It Ar return
A TCP RST is returned for blocked TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
an ICMP UNREACHABLE is returned for blocked UDP packets,
and all other packets are silently dropped.
.El
@@ -517,6 +518,7 @@ actions are possible:
Incoming packet is silently dropped.
.It Ar return
Incoming packet is dropped and TCP RST is returned for TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
an ICMP UNREACHABLE is returned for UDP packets,
and no response is sent for other packets.
.El
@@ -1267,8 +1269,8 @@ A stateful connection is automatically created to track packets matching
such a rule as long as they are not blocked by the filtering section of
.Nm pf.conf .
The translation engine modifies the specified address and/or port in the
-packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to
-the packet filter for evaluation.
+packet, recalculates IP, TCP and UDP checksums as necessary, and passes
+it to the packet filter for evaluation.
.Pp
Since translation occurs before filtering the filter
engine will see packets as they look after any
@@ -1404,6 +1406,7 @@ and layer 4 (see
.Xr icmp 4 ,
.Xr icmp6 4 ,
.Xr tcp 4 ,
+.Xr sctp 4 ,
.Xr udp 4 )
headers.
In addition, packets may also be
@@ -1453,7 +1456,8 @@ can be overridden by specifying a message as a code or number.
.It Ar return
This causes a TCP RST to be returned for
.Xr tcp 4
-packets and an ICMP UNREACHABLE for UDP and other packets.
+packets, an SCTP ABORT for SCTP
+and an ICMP UNREACHABLE for UDP and other packets.
.El
.Pp
Options returning ICMP packets currently have no effect if
@@ -1654,6 +1658,7 @@ Common protocols are
.Xr icmp 4 ,
.Xr icmp6 4 ,
.Xr tcp 4 ,
+.Xr sctp 4 ,
and
.Xr udp 4 .
For a list of all the protocol name to number mappings used by
@@ -2853,6 +2858,14 @@ reference to an anchor name containing
characters will require double quote
.Pq Sq \&"
characters around the anchor name.
+.Sh SCTP CONSIDERATIONS
+.Xr pf 4
+supports
+.Xr sctp 4
+connections.
+It can match ports, track state and NAT SCTP traffic.
+However, it will not alter port numbers during nat or rdr translations.
+Doing so would break SCTP multihoming.
.Sh TRANSLATION EXAMPLES
This example maps incoming requests on port 80 to port 8080, on
which a daemon is running (because, for example, it is not run as root,
@@ -3319,6 +3332,7 @@ Service name database.
.Xr pf 4 ,
.Xr pfsync 4 ,
.Xr tcp 4 ,
+.Xr sctp 4 ,
.Xr udp 4 ,
.Xr hosts 5 ,
.Xr pf.os 5 ,