From nobody Fri Jul 21 10:32:46 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R6m8x44w4z4pG0h; Fri, 21 Jul 2023 10:32:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R6m8v1N3Tz3qGJ; Fri, 21 Jul 2023 10:32:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689935567; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sNzWU4RuZJId6u1PoCiw8aw28muCjzcUClgDucB7GPw=; b=XFLQS8nvx+g3fYK6uo2qdvEgFVDZDuGdF/D636/9sMfFjkJkGZ3ZGfoELR2jN3bkGfZGxi pUzj91yPycmLlMKgULfLYQuNYr3vMQBL3BOXsHazDrmZUbHurFZEIoTrZ6dDYUQYPjavxO uWC9OI67sPuAZ/XIxOlvKqM3z5DDnqi8BLzNvDXHGF5Ltxg775WAfOpWOmUgYhz9k6CeAu mouSdaoHGEwPoKS5dVhrQzLyIxpoaSjzehA5zQWkl9GziV03BUH86Mf9fZPEvsaMezT8Kt 5qdD2mF9cCQPJI91UNfPQDKR/Yme1K6D0PT7eNy4cG7DiJkmKs7enOsFY++xLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689935567; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sNzWU4RuZJId6u1PoCiw8aw28muCjzcUClgDucB7GPw=; b=g4Y3s9fLLhO+3G4wMjiIJSyBlHR5CKG6tmWGluzPIFadHzeuLwiLScLdAZ/61ZKCOqIAHu i3sosXluxAJaLJigDnsa8mMd69p6FoJ3MLEdRpL/mqv496BM8uNBTKxRW9vkAr6uRXGATd EMu/uow/OMhHopKX9cw7yZNPYbDoYetmjjmgY6zC5jY5lI9zvoIAumuAM6FByJVR4Mh/PB Li8J08hWrvIJptKgzxG38dbkdmwV37EJkcfx/Ap7h1cZyhE2Ozuq97RMAJ6RKuveZZ54NW JCjJQ77FpN7oF2HRZ72BP2Y6WXmBULm/1edhB7KxyJ7JnA5r+O7ELmAuUzTswQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689935567; a=rsa-sha256; cv=none; b=QRX0T7e+ewXib6R/rY5tds46S1qhNzvY33MYiNUBP4MWgs/fjzIz2rYQ2dqxXrrLBIo+os gW9j0wV+17QoisogGbvJ3Q7B+1tkYAsIsCSRiM2msOJk5uaPfS4Ohe8EWemgR933Kvm03r JhZmF6DrZOz9aAtVVDLXuafARVDBNvvvhJQl0DNLdbXBxTcJCNoM8SWWppCEE4aMpoUxRk d1QBY56JRnX9UwafMYM1gmEWxT+aYcZLloT8yG2DY05CVEls02740wXDbuNcGBWEYWqhvr vmLk4sxjv82dLErmorHmcI+Sd7rGKRP8RBuX8iHP9z8DkN7Mbshv1R/m82AVGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R6m8t6LT0z18J2; Fri, 21 Jul 2023 10:32:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36LAWkK5010679; Fri, 21 Jul 2023 10:32:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36LAWkoW010678; Fri, 21 Jul 2023 10:32:46 GMT (envelope-from git) Date: Fri, 21 Jul 2023 10:32:46 GMT Message-Id: <202307211032.36LAWkoW010678@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 47d0c1fe7d32 - main - pf.conf.5: document SCTP support List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e commit 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e Author: Kristof Provost AuthorDate: 2023-06-21 08:04:07 +0000 Commit: Kristof Provost CommitDate: 2023-07-21 10:32:19 +0000 pf.conf.5: document SCTP support Mention SCTP in the pf.conf.5 Reviewed by: tuexen MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40870 --- share/man/man5/pf.conf.5 | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 8292812f7817..2f071d3d94e8 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 26, 2023 +.Dd June 21, 2023 .Dt PF.CONF 5 .Os .Sh NAME @@ -493,6 +493,7 @@ action: Packet is silently dropped. .It Ar return A TCP RST is returned for blocked TCP packets, +an SCTP ABORT chunk is returned for blocked SCTP packets, an ICMP UNREACHABLE is returned for blocked UDP packets, and all other packets are silently dropped. .El @@ -517,6 +518,7 @@ actions are possible: Incoming packet is silently dropped. .It Ar return Incoming packet is dropped and TCP RST is returned for TCP packets, +an SCTP ABORT chunk is returned for blocked SCTP packets, an ICMP UNREACHABLE is returned for UDP packets, and no response is sent for other packets. .El @@ -1267,8 +1269,8 @@ A stateful connection is automatically created to track packets matching such a rule as long as they are not blocked by the filtering section of .Nm pf.conf . The translation engine modifies the specified address and/or port in the -packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to -the packet filter for evaluation. +packet, recalculates IP, TCP and UDP checksums as necessary, and passes +it to the packet filter for evaluation. .Pp Since translation occurs before filtering the filter engine will see packets as they look after any @@ -1404,6 +1406,7 @@ and layer 4 (see .Xr icmp 4 , .Xr icmp6 4 , .Xr tcp 4 , +.Xr sctp 4 , .Xr udp 4 ) headers. In addition, packets may also be @@ -1453,7 +1456,8 @@ can be overridden by specifying a message as a code or number. .It Ar return This causes a TCP RST to be returned for .Xr tcp 4 -packets and an ICMP UNREACHABLE for UDP and other packets. +packets, an SCTP ABORT for SCTP +and an ICMP UNREACHABLE for UDP and other packets. .El .Pp Options returning ICMP packets currently have no effect if @@ -1654,6 +1658,7 @@ Common protocols are .Xr icmp 4 , .Xr icmp6 4 , .Xr tcp 4 , +.Xr sctp 4 , and .Xr udp 4 . For a list of all the protocol name to number mappings used by @@ -2853,6 +2858,14 @@ reference to an anchor name containing characters will require double quote .Pq Sq \&" characters around the anchor name. +.Sh SCTP CONSIDERATIONS +.Xr pf 4 +supports +.Xr sctp 4 +connections. +It can match ports, track state and NAT SCTP traffic. +However, it will not alter port numbers during nat or rdr translations. +Doing so would break SCTP multihoming. .Sh TRANSLATION EXAMPLES This example maps incoming requests on port 80 to port 8080, on which a daemon is running (because, for example, it is not run as root, @@ -3319,6 +3332,7 @@ Service name database. .Xr pf 4 , .Xr pfsync 4 , .Xr tcp 4 , +.Xr sctp 4 , .Xr udp 4 , .Xr hosts 5 , .Xr pf.os 5 ,