A simple task since 'tcp option' expression exists.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libxt_tcp.c | 9 ++++++---
extensions/libxt_tcp.txlate | 6 ++++++
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 0b115cddf15d9..043382d47b8ba 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -430,9 +430,12 @@ static int tcp_xlate(struct xt_xlate *xl,
space = " ";
}
- /* XXX not yet implemented */
- if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION))
- return 0;
+ if (tcpinfo->option) {
+ xt_xlate_add(xl, "%stcp option %u %s", space, tcpinfo->option,
+ tcpinfo->invflags & XT_TCP_INV_OPTION ?
+ "missing" : "exists");
+ space = " ";
+ }
if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
xt_xlate_add(xl, "%stcp flags %s", space,
diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index 921d4af024d32..a1f0e909bb46c 100644
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -24,3 +24,9 @@ nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter
iptables-translate -A INPUT ! -f -p tcp --dport 22
nft add rule ip filter INPUT ip frag-off & 0x1fff 0 tcp dport 22 counter
+
+iptables-translate -A INPUT -p tcp --tcp-option 23
+nft add rule ip filter INPUT tcp option 23 exists counter
+
+iptables-translate -A INPUT -p tcp ! --tcp-option 23
+nft add rule ip filter INPUT tcp option 23 missing counter
--
2.38.0
