Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    100$ - Filter Packets with TCP Options (TCP Option Kind 30, MPTCP)

    Scheduled Pinned Locked Moved
    Bounties
    2
    4
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SimPru
      last edited by

      Heyho,

      I'm looking for someone that can create the possibility to filter/block TCP-Packets with TCP-Option 30 (=MPTCP).
      I've already posted in the firewalling-section, but up to now I did not get a satisfying answer, see http://forum.pfsense.org/index.php/topic,69310.0.html .

      What I want is a feature, preferably a firewall-option, that allows me to allow or disallow TCP-Packets with the TCP-Option 30 to pass.

      As far as I understand the problem, pf itself does not have such a feature. For iptables on Linux there is a –tcp-option flag, that does exactly what I want.
      A few years ago Krzysztof Pfaff did a patch that worked with SACK-options, which are also stored in the TCP-Options-field, his patch can be found here: http://openbsd.7691.n7.nabble.com/pf-modulate-state-amp-TCP-option-SACK-modulation-by-pf-patch-2-td152802.html

      I know that $100 is not that much for something that requires a patch to pf itself, but I hope that maybe someone else regards MPTCP-filtering as a useful feature (for the future).
      The MPTCP-implementation for the BSD-kernel is still under development, see here: http://caia.swin.edu.au/urp/newtcp/mptcp/tools.html

      For the sake of completeness:
      The RFC of MPTCP: http://tools.ietf.org/html/rfc6824
      The list of TCP-Option-Kinds: http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
      And the link of the linux-kernel-implementation of MPTCP: http://multipath-tcp.org/

      Thanks a lot in advance :)

      1 Reply Last reply Reply Quote 0
      • S
        SimPru
        last edited by

        Since I did not find someone to implement this for me, the bounty is now:
        150$ for a pf-patch that allows me to filter/block packages depending on what TCP-option kind is set.

        I do not necessarily need this implemented in the pfsense-GUI, CLI is also ok.

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          I can do this for you.

          The only problem is that you want to drop packets with options you specify, right?

          This means you want to specify if option 30 is active in tcp session drop this packet?

          1 Reply Last reply Reply Quote 0
          • S
            SimPru
            last edited by

            I need a feature, either CLI or GUI, that allows me to configure to drop every package that has a TCP-option with kind 30.
            Iptables e.g. has a command line switch –tcp-option xx that matches every package with a tcp-option of kind xx.
            Since I need it only for MPTCP-packages, it is not necessary (but it would be nice) to work with all kind of TCP-options, it can also be hardcoded to work only with kind 30.

            I hope that answers your question.

            Thanks in advance,

            SimPru

            1 Reply Last reply Reply Quote 0
            • First post
              Last post