pf.conf.5: document SCTP support

Mention SCTP in the pf.conf.5

Reviewed by:	tuexen
MFC after:	3 weeks
Sponsored by:	Orange Business Services
Differential Revision:	https://reviews.freebsd.org/D40870

(cherry picked from commit 47d0c1fe7d3279e9d38df75cf0c359b1fbc26d5e)

1 files changed, 18 insertions, 4 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index cc1b902e0006..95710027bdf3 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd September 25, 2021
+.Dd June 21, 2023
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -491,6 +491,7 @@ action:
 Packet is silently dropped.
 .It Ar return
 A TCP RST is returned for blocked TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
 an ICMP UNREACHABLE is returned for blocked UDP packets,
 and all other packets are silently dropped.
 .El
@@ -515,6 +516,7 @@ actions are possible:
 Incoming packet is silently dropped.
 .It Ar return
 Incoming packet is dropped and TCP RST is returned for TCP packets,
+an SCTP ABORT chunk is returned for blocked SCTP packets,
 an ICMP UNREACHABLE is returned for UDP packets,
 and no response is sent for other packets.
 .El
@@ -1139,8 +1141,8 @@ A stateful connection is automatically created to track packets matching
 such a rule as long as they are not blocked by the filtering section of
 .Nm pf.conf .
 The translation engine modifies the specified address and/or port in the
-packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to
-the packet filter for evaluation.
+packet, recalculates IP, TCP and UDP checksums as necessary, and passes
+it to the packet filter for evaluation.
 .Pp
 Since translation occurs before filtering the filter
 engine will see packets as they look after any
@@ -1276,6 +1278,7 @@ and layer 4 (see
 .Xr icmp 4 ,
 .Xr icmp6 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 .Xr udp 4 )
 headers.
 In addition, packets may also be
@@ -1325,7 +1328,8 @@ can be overridden by specifying a message as a code or number.
 .It Ar return
 This causes a TCP RST to be returned for
 .Xr tcp 4
-packets and an ICMP UNREACHABLE for UDP and other packets.
+packets, an SCTP ABORT for SCTP
+and an ICMP UNREACHABLE for UDP and other packets.
 .El
 .Pp
 Options returning ICMP packets currently have no effect if
@@ -1515,6 +1519,7 @@ Common protocols are
 .Xr icmp 4 ,
 .Xr icmp6 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 and
 .Xr udp 4 .
 For a list of all the protocol name to number mappings used by
@@ -2717,6 +2722,14 @@ reference to an anchor name containing
 characters will require double quote
 .Pq Sq \&"
 characters around the anchor name.
+.Sh SCTP CONSIDERATIONS
+.Xr pf 4
+supports
+.Xr sctp 4
+connections.
+It can match ports, track state and NAT SCTP traffic.
+However, it will not alter port numbers during nat or rdr translations.
+Doing so would break SCTP multihoming.
 .Sh TRANSLATION EXAMPLES
 This example maps incoming requests on port 80 to port 8080, on
 which a daemon is running (because, for example, it is not run as root,
@@ -3162,6 +3175,7 @@ Service name database.
 .Xr pf 4 ,
 .Xr pfsync 4 ,
 .Xr tcp 4 ,
+.Xr sctp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
 .Xr pf.os 5 ,