pf - SCTP ports are not allowed in filter rules.

Discussion:

Özkan KIRIK

2021-04-25 05:56:49 UTC

Hi,

SCTP protocol header has src port and dst port fields. But pf doesn't
supports.

# echo "pass log (to pflog0) quick proto SCTP from any to any port
13873" | pfctl -f -
stdin:1: port only applies to tcp/udp
stdin:1: skipping rule due to errors
stdin:1: rule expands to no valid combination
pfctl: Syntax error in config file: pf rules not loaded
#

I tried to write same rule with ipfw. It works.

# ipfw add 200 allow sctp from any to any 13873
00200 allow sctp from any to any 13873

Do I have a mistake or filtering for SCTP ports are not supported by pf ?
Is it possible to fix ?

Best Regards
Ozkan

Kristof Provost

2021-04-25 08:08:52 UTC

Permalink

Post by Ãzkan KIRIK
SCTP protocol header has src port and dst port fields. But pf doesn't
supports.
# echo "pass log (to pflog0) quick proto SCTP from any to any port
13873" | pfctl -f -
stdin:1: port only applies to tcp/udp
stdin:1: skipping rule due to errors
stdin:1: rule expands to no valid combination
pfctl: Syntax error in config file: pf rules not loaded
#
I tried to write same rule with ipfw. It works.
# ipfw add 200 allow sctp from any to any 13873
00200 allow sctp from any to any 13873
Do I have a mistake or filtering for SCTP ports are not supported by pf ?
Is it possible to fix ?

Pf does not support SCTP in any meaningful way.

I have no plans to add SCTP support either. Note that doing so involves
a lot more than just teaching it to look at SCTP port numbers. Pf is a
/stateful/ firewall, so we’d have to teach it the entire SCTP protocol
lifecycle.

Best regards,
Kristof

Kurt Jaeger

2021-04-25 08:57:59 UTC

Permalink

Hi!

sys/netpfil/pf/ has some ifdefs that reference SCTP.

So, if you recompile your kernel with

options SCTP
options SCTP_SUPPORT

it might improve, but the ifdefed code does not seem very far-reaching.
The user-space tooling (pfctl) does not seem to support sctp as keyword ?

--
***@opsec.eu +49 171 3101372 Now what ?