git: c46419526269 - stable/13 - pf.conf.5: document SCTP support
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 11 Aug 2023 12:13:40 UTC
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c46419526269025a797a365a240b8fcd307e4281 commit c46419526269025a797a365a240b8fcd307e4281 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-06-21 08:04:07 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-08-11 12:13:10 +0000 pf.conf.5: document SCTP support Mention SCTP in the pf.conf.5 Reviewed by: tuexen MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40870 (cherry picked from commit 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e) --- share/man/man5/pf.conf.5 | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index cc1b902e0006..95710027bdf3 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 25, 2021 +.Dd June 21, 2023 .Dt PF.CONF 5 .Os .Sh NAME @@ -491,6 +491,7 @@ action: Packet is silently dropped. .It Ar return A TCP RST is returned for blocked TCP packets, +an SCTP ABORT chunk is returned for blocked SCTP packets, an ICMP UNREACHABLE is returned for blocked UDP packets, and all other packets are silently dropped. .El @@ -515,6 +516,7 @@ actions are possible: Incoming packet is silently dropped. .It Ar return Incoming packet is dropped and TCP RST is returned for TCP packets, +an SCTP ABORT chunk is returned for blocked SCTP packets, an ICMP UNREACHABLE is returned for UDP packets, and no response is sent for other packets. .El @@ -1139,8 +1141,8 @@ A stateful connection is automatically created to track packets matching such a rule as long as they are not blocked by the filtering section of .Nm pf.conf . The translation engine modifies the specified address and/or port in the -packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to -the packet filter for evaluation. +packet, recalculates IP, TCP and UDP checksums as necessary, and passes +it to the packet filter for evaluation. .Pp Since translation occurs before filtering the filter engine will see packets as they look after any @@ -1276,6 +1278,7 @@ and layer 4 (see .Xr icmp 4 , .Xr icmp6 4 , .Xr tcp 4 , +.Xr sctp 4 , .Xr udp 4 ) headers. In addition, packets may also be @@ -1325,7 +1328,8 @@ can be overridden by specifying a message as a code or number. .It Ar return This causes a TCP RST to be returned for .Xr tcp 4 -packets and an ICMP UNREACHABLE for UDP and other packets. +packets, an SCTP ABORT for SCTP +and an ICMP UNREACHABLE for UDP and other packets. .El .Pp Options returning ICMP packets currently have no effect if @@ -1515,6 +1519,7 @@ Common protocols are .Xr icmp 4 , .Xr icmp6 4 , .Xr tcp 4 , +.Xr sctp 4 , and .Xr udp 4 . For a list of all the protocol name to number mappings used by @@ -2717,6 +2722,14 @@ reference to an anchor name containing characters will require double quote .Pq Sq \&" characters around the anchor name. +.Sh SCTP CONSIDERATIONS +.Xr pf 4 +supports +.Xr sctp 4 +connections. +It can match ports, track state and NAT SCTP traffic. +However, it will not alter port numbers during nat or rdr translations. +Doing so would break SCTP multihoming. .Sh TRANSLATION EXAMPLES This example maps incoming requests on port 80 to port 8080, on which a daemon is running (because, for example, it is not run as root, @@ -3162,6 +3175,7 @@ Service name database. .Xr pf 4 , .Xr pfsync 4 , .Xr tcp 4 , +.Xr sctp 4 , .Xr udp 4 , .Xr hosts 5 , .Xr pf.os 5 ,