The issue is in SCTP state handling added in FreeBSD D42393 - https://reviews-dev.freebsd.org/D42393
The SCTP ABORT mechanism is not handled correctly by the state handling in src/sys/netpfil/pf/pf.c - function pf_test_state_sctp
In the current code, when an ABORT chunk is received on an association, the state moves to 'CLOSING'.
However, the RFC (RFC4960 section 3.3.7) is clear on the expected behaviour on receipt of an ABORT:
“under any circumstances, an endpoint that receives an ABORT MUST NOT respond to that ABORT by sending an ABORT of its own.”
Basically, an ABORT kills an association immediately with no acknowledgement allowed.
This is in contrast to the SHUTDOWN which should be replied to with SHUTDOWN_COMPLETE.
In terms of firewall states, this means that the state should move to CLOSED immediately upon receipt of a correctly formatted ABORT chunk.
For example, in src/sys/netpfil/pf/pf.c - function pf_test_state_sctp, the following conditional statement should not include the ABORT:
if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | PFDESC_SCTP_ABORT |
PFDESC_SCTP_SHUTDOWN_COMPLETE)) {
And the following conditional statement should include PFDESC_SCTP_ABORT:
if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE)) {
Updated by 
Updated by