extensions: tcp: Translate TCP option match

A simple task since 'tcp option' expression exists.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 0b115cddf15d9814ccae61ff514c74978aa70324..043382d47b8ba56e4f23275012975e8bd238a4cf 100644 (file)
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -430,9 +430,12 @@ static int tcp_xlate(struct xt_xlate *xl,
                space = " ";
        }
 
-       /* XXX not yet implemented */
-       if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION))
-               return 0;
+       if (tcpinfo->option) {
+               xt_xlate_add(xl, "%stcp option %u %s", space, tcpinfo->option,
+                            tcpinfo->invflags & XT_TCP_INV_OPTION ?
+                            "missing" : "exists");
+               space = " ";
+       }
 
        if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
                xt_xlate_add(xl, "%stcp flags %s", space,

diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index 921d4af024d32e0c7df2e3daf6bd2fbec4681732..a1f0e909bb46c0bb7c3fdd73f9bc8f5b44516d94 100644 (file)
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -24,3 +24,9 @@ nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter
 
 iptables-translate -A INPUT ! -f -p tcp --dport 22
 nft add rule ip filter INPUT ip frag-off & 0x1fff 0 tcp dport 22 counter
+
+iptables-translate -A INPUT -p tcp --tcp-option 23
+nft add rule ip filter INPUT tcp option 23 exists counter
+
+iptables-translate -A INPUT -p tcp ! --tcp-option 23
+nft add rule ip filter INPUT tcp option 23 missing counter