Date: Sun, 25 Apr 2021 10:57:59 +0200 From: Kurt Jaeger <pi@freebsd.org> To: =?iso-8859-1?Q?=D6zkan?= KIRIK <ozkan.kirik@gmail.com> Cc: freebsd-pf@freebsd.org, Kristof Provost <kp@freebsd.org> Subject: Re: pf - SCTP ports are not allowed in filter rules. Message-ID: <YIUvF/nlnjE/Xuth@home.opsec.eu> In-Reply-To: <CAAcX-AFLLPOuLws%2B=qFYp9KXNqD_cYWpA3zbDr2WOgNLMnKRKg@mail.gmail.com> References: <CAAcX-AFLLPOuLws%2B=qFYp9KXNqD_cYWpA3zbDr2WOgNLMnKRKg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > SCTP protocol header has src port and dst port fields. But pf doesn't > supports. > > # echo "pass log (to pflog0) quick proto SCTP from any to any port > 13873" | pfctl -f - > stdin:1: port only applies to tcp/udp > stdin:1: skipping rule due to errors > stdin:1: rule expands to no valid combination > pfctl: Syntax error in config file: pf rules not loaded > # > > I tried to write same rule with ipfw. It works. > > # ipfw add 200 allow sctp from any to any 13873 > 00200 allow sctp from any to any 13873 > > Do I have a mistake or filtering for SCTP ports are not supported by pf ? > Is it possible to fix ? sys/netpfil/pf/ has some ifdefs that reference SCTP. So, if you recompile your kernel with options SCTP options SCTP_SUPPORT it might improve, but the ifdefed code does not seem very far-reaching. The user-space tooling (pfctl) does not seem to support sctp as keyword ? -- pi@opsec.eu +49 171 3101372 Now what ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YIUvF/nlnjE/Xuth>