From 0b946dabf34a068adf3e35924578ffb06a249bb8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 17 Nov 2022 16:39:40 +0100
Subject: extensions: tcp: Translate TCP option match

A simple task since 'tcp option' expression exists.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_tcp.txlate | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'extensions/libxt_tcp.txlate')

diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index 921d4af0..a1f0e909 100644
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -24,3 +24,9 @@ nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter
 
 iptables-translate -A INPUT ! -f -p tcp --dport 22
 nft add rule ip filter INPUT ip frag-off & 0x1fff 0 tcp dport 22 counter
+
+iptables-translate -A INPUT -p tcp --tcp-option 23
+nft add rule ip filter INPUT tcp option 23 exists counter
+
+iptables-translate -A INPUT -p tcp ! --tcp-option 23
+nft add rule ip filter INPUT tcp option 23 missing counter
-- 
cgit v1.2.3