git: 47d0c1fe7d32 - main - pf.conf.5: document SCTP support

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 21 Jul 2023 10:32:46 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e

commit 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-06-21 08:04:07 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-07-21 10:32:19 +0000

    pf.conf.5: document SCTP support
    
    Mention SCTP in the pf.conf.5
    
    Reviewed by:    tuexen
    MFC after:      3 weeks
    Sponsored by:   Orange Business Services
    Differential Revision:  https://reviews.freebsd.org/D40870
---
 share/man/man5/pf.conf.5 | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 8292812f7817..2f071d3d94e8 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 26, 2023
+.Dd June 21, 2023
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -493,6 +493,7 @@ action:
 Packet is silently dropped.
 .It Ar return
 A TCP RST is returned for blocked TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
 an ICMP UNREACHABLE is returned for blocked UDP packets,
 and all other packets are silently dropped.
 .El
@@ -517,6 +518,7 @@ actions are possible:
 Incoming packet is silently dropped.
 .It Ar return
 Incoming packet is dropped and TCP RST is returned for TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
 an ICMP UNREACHABLE is returned for UDP packets,
 and no response is sent for other packets.
 .El
@@ -1267,8 +1269,8 @@ A stateful connection is automatically created to track packets matching
 such a rule as long as they are not blocked by the filtering section of
 .Nm pf.conf .
 The translation engine modifies the specified address and/or port in the
-packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to
-the packet filter for evaluation.
+packet, recalculates IP, TCP and UDP checksums as necessary, and passes
+it to the packet filter for evaluation.
 .Pp
 Since translation occurs before filtering the filter
 engine will see packets as they look after any
@@ -1404,6 +1406,7 @@ and layer 4 (see
 .Xr icmp 4 ,
 .Xr icmp6 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 .Xr udp 4 )
 headers.
 In addition, packets may also be
@@ -1453,7 +1456,8 @@ can be overridden by specifying a message as a code or number.
 .It Ar return
 This causes a TCP RST to be returned for
 .Xr tcp 4
-packets and an ICMP UNREACHABLE for UDP and other packets.
+packets, an SCTP ABORT for SCTP
+and an ICMP UNREACHABLE for UDP and other packets.
 .El
 .Pp
 Options returning ICMP packets currently have no effect if
@@ -1654,6 +1658,7 @@ Common protocols are
 .Xr icmp 4 ,
 .Xr icmp6 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 and
 .Xr udp 4 .
 For a list of all the protocol name to number mappings used by
@@ -2853,6 +2858,14 @@ reference to an anchor name containing
 characters will require double quote
 .Pq Sq \&"
 characters around the anchor name.
+.Sh SCTP CONSIDERATIONS
+.Xr pf 4
+supports
+.Xr sctp 4
+connections.
+It can match ports, track state and NAT SCTP traffic.
+However, it will not alter port numbers during nat or rdr translations.
+Doing so would break SCTP multihoming.
 .Sh TRANSLATION EXAMPLES
 This example maps incoming requests on port 80 to port 8080, on
 which a daemon is running (because, for example, it is not run as root,
@@ -3319,6 +3332,7 @@ Service name database.
 .Xr pf 4 ,
 .Xr pfsync 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
 .Xr pf.os 5 ,