100$ - Filter Packets with TCP Options (TCP Option Kind 30, MPTCP)
I'm looking for someone that can create the possibility to filter/block TCP-Packets with TCP-Option 30 (=MPTCP).
I've already posted in the firewalling-section, but up to now I did not get a satisfying answer, see http://forum.pfsense.org/index.php/topic,69310.0.html .
What I want is a feature, preferably a firewall-option, that allows me to allow or disallow TCP-Packets with the TCP-Option 30 to pass.
As far as I understand the problem, pf itself does not have such a feature. For iptables on Linux there is a –tcp-option flag, that does exactly what I want.
A few years ago Krzysztof Pfaff did a patch that worked with SACK-options, which are also stored in the TCP-Options-field, his patch can be found here: http://openbsd.7691.n7.nabble.com/pf-modulate-state-amp-TCP-option-SACK-modulation-by-pf-patch-2-td152802.html
I know that $100 is not that much for something that requires a patch to pf itself, but I hope that maybe someone else regards MPTCP-filtering as a useful feature (for the future).
The MPTCP-implementation for the BSD-kernel is still under development, see here: http://caia.swin.edu.au/urp/newtcp/mptcp/tools.html
For the sake of completeness:
The RFC of MPTCP: http://tools.ietf.org/html/rfc6824
The list of TCP-Option-Kinds: http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
And the link of the linux-kernel-implementation of MPTCP: http://multipath-tcp.org/
Thanks a lot in advance :)
Since I did not find someone to implement this for me, the bounty is now:
150$ for a pf-patch that allows me to filter/block packages depending on what TCP-option kind is set.
I do not necessarily need this implemented in the pfsense-GUI, CLI is also ok.
I can do this for you.
The only problem is that you want to drop packets with options you specify, right?
This means you want to specify if option 30 is active in tcp session drop this packet?
I need a feature, either CLI or GUI, that allows me to configure to drop every package that has a TCP-option with kind 30.
Iptables e.g. has a command line switch –tcp-option xx that matches every package with a tcp-option of kind xx.
Since I need it only for MPTCP-packages, it is not necessary (but it would be nice) to work with all kind of TCP-options, it can also be hardcoded to work only with kind 30.
I hope that answers your question.
Thanks in advance,