Multipath-TCP Filtering (filter modified TCP-Options?)

  • Good evening,

    i'm currently playing around with Multipath-TCP (MPTCP, running over my pfSense box.
    MPTCP uses the TCP-Header (to be precise the TCP options) to store its sequence numbers, it has been officially assigned the TCP option kind 30.
    My question is: Is it possible to configure PFSense to block/allow all MPTCP-packets, i.e. all packages with TPC option kind 30 set?

    I've attached a Wireshark-Screenshot of a MPTCP-package.

    Thanks a lot in advance for your replies,


    ![Screenshot from 2013-11-17 17:54:05.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png_thumb)
    ![Screenshot from 2013-11-17 17:54:05.png](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png)

  • If there is no such feature, how could this be implemented and how much would it be (if I placed a bounty on this)?

    Cheers, SimPru

  • up

    Nobody? For iptables there is a "–tcp-option", but as far as I know there is no such feature for pf.
    Do you have any guess for me, how much time it would take to write a patch for pf to enable tcp-option filtering?

    regards, SimPru

  • In firewall rules for your TCP rules. Scroll down and check the advanced options. This could be something you are interested in:

    This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic. 

  • Thanks for your reply.

    Unfortunately this features only works with IP-Options, not with TCP-Options…

  • Any new on this to make mptcp work ?