Multipath-TCP Filtering (filter modified TCP-Options?)
-
Good evening,
i'm currently playing around with Multipath-TCP (MPTCP, http://multipath-tcp.org/pmwiki.php/Main/HomePage) running over my pfSense box.
MPTCP uses the TCP-Header (to be precise the TCP options) to store its sequence numbers, it has been officially assigned the TCP option kind 30.
My question is: Is it possible to configure PFSense to block/allow all MPTCP-packets, i.e. all packages with TPC option kind 30 set?I've attached a Wireshark-Screenshot of a MPTCP-package.
Thanks a lot in advance for your replies,
SimPru
![Screenshot from 2013-11-17 17:54:05.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png_thumb)
![Screenshot from 2013-11-17 17:54:05.png](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png) -
If there is no such feature, how could this be implemented and how much would it be (if I placed a bounty on this)?
Cheers, SimPru
-
up
Nobody? For iptables there is a "–tcp-option", but as far as I know there is no such feature for pf.
Do you have any guess for me, how much time it would take to write a patch for pf to enable tcp-option filtering?regards, SimPru
-
In firewall rules for your TCP rules. Scroll down and check the advanced options. This could be something you are interested in:
This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.
-
Thanks for your reply.
Unfortunately this features only works with IP-Options, not with TCP-Options…
-
Any new on this to make mptcp work ?