pf - SCTP ports are not allowed in filter rules.
Kurt Jaeger
pi at freebsd.org
Sun Apr 25 08:58:12 UTC 2021
Hi!
> SCTP protocol header has src port and dst port fields. But pf doesn't
> supports.
>
> # echo "pass log (to pflog0) quick proto SCTP from any to any port
> 13873" | pfctl -f -
> stdin:1: port only applies to tcp/udp
> stdin:1: skipping rule due to errors
> stdin:1: rule expands to no valid combination
> pfctl: Syntax error in config file: pf rules not loaded
> #
>
> I tried to write same rule with ipfw. It works.
>
> # ipfw add 200 allow sctp from any to any 13873
> 00200 allow sctp from any to any 13873
>
> Do I have a mistake or filtering for SCTP ports are not supported by pf ?
> Is it possible to fix ?
sys/netpfil/pf/ has some ifdefs that reference SCTP.
So, if you recompile your kernel with
options SCTP
options SCTP_SUPPORT
it might improve, but the ifdefed code does not seem very far-reaching.
The user-space tooling (pfctl) does not seem to support sctp as keyword ?
--
pi at opsec.eu +49 171 3101372 Now what ?
More information about the freebsd-pf
mailing list