Multipath-TCP Filtering (filter modified TCP-Options?)

SimPru · Nov 17, 2013, 4:58 PM

Good evening,

i'm currently playing around with Multipath-TCP (MPTCP, http://multipath-tcp.org/pmwiki.php/Main/HomePage) running over my pfSense box.
MPTCP uses the TCP-Header (to be precise the TCP options) to store its sequence numbers, it has been officially assigned the TCP option kind 30.
My question is: Is it possible to configure PFSense to block/allow all MPTCP-packets, i.e. all packages with TPC option kind 30 set?

I've attached a Wireshark-Screenshot of a MPTCP-package.

Thanks a lot in advance for your replies,

SimPru

![Screenshot from 2013-11-17 17:54:05.png_thumb](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png_thumb)
![Screenshot from 2013-11-17 17:54:05.png](/public/imported_attachments/1/Screenshot from 2013-11-17 17:54:05.png)

SimPru · Nov 19, 2013, 6:58 PM

If there is no such feature, how could this be implemented and how much would it be (if I placed a bounty on this)?

Cheers, SimPru

SimPru · Nov 24, 2013, 6:00 PM

up

Nobody? For iptables there is a "–tcp-option", but as far as I know there is no such feature for pf.
Do you have any guess for me, how much time it would take to write a patch for pf to enable tcp-option filtering?

regards, SimPru

Nachtfalke · Nov 24, 2013, 10:06 PM

In firewall rules for your TCP rules. Scroll down and check the advanced options. This could be something you are interested in:


This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.

SimPru · Nov 25, 2013, 5:13 PM

Thanks for your reply.

Unfortunately this features only works with IP-Options, not with TCP-Options…

kappen · Sep 12, 2016, 10:34 AM

Any new on this to make mptcp work ?