Multipath-TCP Filtering (filter modified TCP-Options?)

SimPru

Good evening,

i'm currently playing around with Multipath-TCP (MPTCP, http://multipath-tcp.org/pmwiki.php/Main/HomePage) running over my pfSense box.
MPTCP uses the TCP-Header (to be precise the TCP options) to store its sequence numbers, it has been officially assigned the TCP option kind 30.
My question is: Is it possible to configure PFSense to block/allow all MPTCP-packets, i.e. all packages with TPC option kind 30 set?

I've attached a Wireshark-Screenshot of a MPTCP-package.

Thanks a lot in advance for your replies,

SimPru

![Screenshot from 2013-11-17 17:54:05.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png_thumb)
![Screenshot from 2013-11-17 17:54:05.png](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png)

SimPru

If there is no such feature, how could this be implemented and how much would it be (if I placed a bounty on this)?

Cheers, SimPru

SimPru

up

Nobody? For iptables there is a "–tcp-option", but as far as I know there is no such feature for pf.
Do you have any guess for me, how much time it would take to write a patch for pf to enable tcp-option filtering?

regards, SimPru

Nachtfalke

In firewall rules for your TCP rules. Scroll down and check the advanced options. This could be something you are interested in:


This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.

SimPru

Thanks for your reply.

Unfortunately this features only works with IP-Options, not with TCP-Options…

kappen

Any new on this to make mptcp work ?