[libvirt PATCH 2/2] nwfilter: drop support for legacy iptables conntrack direction
Daniel P. Berrangé
berrange at redhat.com
Tue Mar 8 17:52:42 UTC 2022
Long ago we adapted to Linux kernel changes which inverted the
behaviour of the conntrack --ctdir setting:
commit a6a04ea47a8143ba46150889d8dae1c861df6389
Author: Stefan Berger <stefanb at us.ibm.com>
Date: Wed May 15 21:02:11 2013 -0400
nwfilter: check for inverted ctdir
Linux netfilter at some point (Linux 2.6.39) inverted the meaning of the
'--ctdir reply' and newer netfilter implementations now expect
'--ctdir original' instead and vice-versa.
We check for the kernel version and assume that all Linux kernels with version
2.6.39 have the newer inverted logic.
Any distro backporting the Linux kernel patch that inverts the --ctdir logic
(Linux commit 96120d86f) must also backport this patch for Linux and
adapt the kernel version being tested for.
Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
Given our supported platform targets, we no longer need to
consider a version of Linux before 2.6.39, so can drop
support for the old direction behaviour.
The test suite updates are triggered because that never
probed for the ctdir direction, and so the iptables syntax
generator unconditionally dropped the ctdir args.
Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 55 +--
.../ah-ipv6-linux.args | 18 +
tests/nwfilterxml2firewalldata/ah-linux.args | 18 +
.../all-ipv6-linux.args | 18 +
tests/nwfilterxml2firewalldata/all-linux.args | 18 +
.../comment-linux.args | 30 ++
.../conntrack-linux.args | 6 +
.../esp-ipv6-linux.args | 18 +
tests/nwfilterxml2firewalldata/esp-linux.args | 18 +
.../example-1-linux.args | 18 +
.../hex-data-linux.args | 12 +
.../icmp-direction3-linux.args | 6 +
.../nwfilterxml2firewalldata/igmp-linux.args | 18 +
.../nwfilterxml2firewalldata/ipset-linux.args | 24 ++
.../nwfilterxml2firewalldata/iter1-linux.args | 18 +
.../nwfilterxml2firewalldata/iter2-linux.args | 342 ++++++++++++++++++
.../nwfilterxml2firewalldata/iter3-linux.args | 30 ++
.../sctp-ipv6-linux.args | 18 +
.../nwfilterxml2firewalldata/sctp-linux.args | 18 +
.../target-linux.args | 12 +
.../target2-linux.args | 6 +
.../tcp-ipv6-linux.args | 18 +
tests/nwfilterxml2firewalldata/tcp-linux.args | 6 +
.../udp-ipv6-linux.args | 18 +
tests/nwfilterxml2firewalldata/udp-linux.args | 18 +
.../udplite-ipv6-linux.args | 18 +
.../udplite-linux.args | 18 +
27 files changed, 764 insertions(+), 53 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 9bdefb1564..177fd64049 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -64,17 +64,6 @@ VIR_LOG_INIT("nwfilter.nwfilter_ebiptables_driver");
#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */
-/*
- * --ctdir original vs. --ctdir reply's meaning was inverted in netfilter
- * at some point (Linux 2.6.39)
- */
-enum ctdirStatus {
- CTDIR_STATUS_UNKNOWN = 0,
- CTDIR_STATUS_CORRECTED = 1,
- CTDIR_STATUS_OLD = 2,
-};
-static enum ctdirStatus iptables_ctdir_corrected;
-
#define PRINT_ROOT_CHAIN(buf, prefix, ifname) \
g_snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname)
#define PRINT_CHAIN(buf, prefix, ifname, suffix) \
@@ -1088,24 +1077,13 @@ iptablesEnforceDirection(virFirewall *fw,
bool directionIn,
virNWFilterRuleDef *rule)
{
- switch (iptables_ctdir_corrected) {
- case CTDIR_STATUS_UNKNOWN:
- /* could not be determined or s.th. is seriously wrong */
- return;
- case CTDIR_STATUS_CORRECTED:
- directionIn = !directionIn;
- break;
- case CTDIR_STATUS_OLD:
- break;
- }
-
if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
virFirewallRuleAddArgList(fw, fwrule,
"-m", "conntrack",
"--ctdir",
(directionIn ?
- "Original" :
- "Reply"),
+ "Reply" :
+ "Original"),
NULL);
}
@@ -3633,41 +3611,12 @@ virNWFilterTechDriver ebiptables_driver = {
.removeBasicRules = ebtablesRemoveBasicRules,
};
-static void
-ebiptablesDriverProbeCtdir(void)
-{
- struct utsname utsname;
- unsigned long thisversion;
-
- iptables_ctdir_corrected = CTDIR_STATUS_UNKNOWN;
-
- if (uname(&utsname) < 0) {
- VIR_ERROR(_("Call to utsname failed: %d"), errno);
- return;
- }
-
- /* following Linux lxr, the logic was inverted in 2.6.39 */
- if (virStringParseVersion(&thisversion, utsname.release, true) < 0) {
- VIR_ERROR(_("Could not determine kernel version from string %s"),
- utsname.release);
- return;
- }
-
- if (thisversion >= 2 * 1000000 + 6 * 1000 + 39)
- iptables_ctdir_corrected = CTDIR_STATUS_CORRECTED;
- else
- iptables_ctdir_corrected = CTDIR_STATUS_OLD;
-}
-
-
static int
ebiptablesDriverInit(bool privileged)
{
if (!privileged)
return 0;
- ebiptablesDriverProbeCtdir();
-
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
return 0;
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
index d36d63741a..e71284195d 100644
--- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
@@ -10,6 +10,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -21,6 +23,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -34,6 +38,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -44,6 +50,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -56,6 +64,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -66,6 +76,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -76,6 +88,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -88,6 +102,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -98,4 +114,6 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterxml2firewalldata/ah-linux.args
index 886ccfb050..014f862a45 100644
--- a/tests/nwfilterxml2firewalldata/ah-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -53,6 +61,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -73,6 +85,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -95,4 +111,6 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
index 732627c546..37b7d8f70a 100644
--- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
@@ -10,6 +10,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -21,6 +23,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -34,6 +38,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -44,6 +50,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -56,6 +64,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -66,6 +76,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -76,6 +88,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -88,6 +102,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -98,4 +114,6 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilterxml2firewalldata/all-linux.args
index a2bc6996d7..ac7cf71ce5 100644
--- a/tests/nwfilterxml2firewalldata/all-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -53,6 +61,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -73,6 +85,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -95,4 +111,6 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfilterxml2firewalldata/comment-linux.args
index 052b607cb2..7d1730dded 100644
--- a/tests/nwfilterxml2firewalldata/comment-linux.args
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
@@ -57,6 +57,8 @@ iptables \
--dport 564:1092 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'udp rule' \
-j RETURN
@@ -71,6 +73,8 @@ iptables \
--sport 564:1092 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'udp rule' \
-j ACCEPT
@@ -87,6 +91,8 @@ iptables \
--dport 564:1092 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'udp rule' \
-j RETURN
@@ -101,6 +107,8 @@ ip6tables \
--sport 256:4369 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'tcp/ipv6 rule' \
-j RETURN
@@ -117,6 +125,8 @@ ip6tables \
--dport 256:4369 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'tcp/ipv6 rule' \
-j ACCEPT
@@ -131,6 +141,8 @@ ip6tables \
--sport 256:4369 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'tcp/ipv6 rule' \
-j RETURN
@@ -140,6 +152,8 @@ ip6tables \
-p udp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j RETURN
@@ -149,6 +163,8 @@ ip6tables \
-p udp \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j ACCEPT
@@ -158,6 +174,8 @@ ip6tables \
-p udp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j RETURN
@@ -167,6 +185,8 @@ ip6tables \
-p sctp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j RETURN
@@ -176,6 +196,8 @@ ip6tables \
-p sctp \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j ACCEPT
@@ -185,6 +207,8 @@ ip6tables \
-p sctp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j RETURN
@@ -194,6 +218,8 @@ ip6tables \
-p ah \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \
-j RETURN
@@ -203,6 +229,8 @@ ip6tables \
-p ah \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \
-j ACCEPT
@@ -212,6 +240,8 @@ ip6tables \
-p ah \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nwfilterxml2firewalldata/conntrack-linux.args
index 4e7652e293..af88246cc7 100644
--- a/tests/nwfilterxml2firewalldata/conntrack-linux.args
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
@@ -32,6 +32,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -39,6 +41,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -46,4 +50,6 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
index be58a3f04b..363dc7684c 100644
--- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
@@ -10,6 +10,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -21,6 +23,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -34,6 +38,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -44,6 +50,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -56,6 +64,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -66,6 +76,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -76,6 +88,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -88,6 +102,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -98,4 +114,6 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilterxml2firewalldata/esp-linux.args
index f8626282e4..0d2580603a 100644
--- a/tests/nwfilterxml2firewalldata/esp-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -53,6 +61,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -73,6 +85,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -95,4 +111,6 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nwfilterxml2firewalldata/example-1-linux.args
index 32ffb8edfa..bc46b4be78 100644
--- a/tests/nwfilterxml2firewalldata/example-1-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
@@ -5,6 +5,8 @@ iptables \
--sport 22 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -13,6 +15,8 @@ iptables \
--dport 22 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -21,6 +25,8 @@ iptables \
--sport 22 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -28,6 +34,8 @@ iptables \
-p icmp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -35,6 +43,8 @@ iptables \
-p icmp \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -42,6 +52,8 @@ iptables \
-p icmp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -49,6 +61,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -56,6 +70,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -63,6 +79,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwfilterxml2firewalldata/hex-data-linux.args
index 8b09922a65..b677f4d676 100644
--- a/tests/nwfilterxml2firewalldata/hex-data-linux.args
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
@@ -57,6 +57,8 @@ iptables \
--dport 564:1092 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -69,6 +71,8 @@ iptables \
--sport 564:1092 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -83,6 +87,8 @@ iptables \
--dport 564:1092 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -95,6 +101,8 @@ ip6tables \
--sport 256:4369 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -109,6 +117,8 @@ ip6tables \
--dport 256:4369 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -121,4 +131,6 @@ ip6tables \
--sport 256:4369 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
index 1fc7993908..1731d5e27f 100644
--- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
@@ -4,6 +4,8 @@ iptables \
-p icmp \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -11,6 +13,8 @@ iptables \
-p icmp \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -18,6 +22,8 @@ iptables \
-p icmp \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilterxml2firewalldata/igmp-linux.args
index c0add2539b..b85bfaffe8 100644
--- a/tests/nwfilterxml2firewalldata/igmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -53,6 +61,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -73,6 +85,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -95,4 +111,6 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilterxml2firewalldata/ipset-linux.args
index 6848f64541..7f6d9bd913 100644
--- a/tests/nwfilterxml2firewalldata/ipset-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@@ -4,6 +4,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m set \
--match-set tck_test src,dst \
-j RETURN
@@ -13,6 +15,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src \
-j ACCEPT
@@ -22,6 +26,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m set \
--match-set tck_test src,dst \
-j RETURN
@@ -58,6 +64,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -67,6 +75,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m set \
--match-set tck_test src,dst,src \
-j ACCEPT
@@ -76,6 +86,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -85,6 +97,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -94,6 +108,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m set \
--match-set tck_test src,dst,src \
-j ACCEPT
@@ -103,6 +119,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -112,6 +130,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src \
-j RETURN
@@ -121,6 +141,8 @@ iptables \
-p all \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m set \
--match-set tck_test src,dst \
-j ACCEPT
@@ -130,6 +152,8 @@ iptables \
-p all \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m set \
--match-set tck_test dst,src \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilterxml2firewalldata/iter1-linux.args
index e50c768f67..23ac375d9c 100644
--- a/tests/nwfilterxml2firewalldata/iter1-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
@@ -8,6 +8,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -30,6 +34,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -52,6 +60,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -74,6 +86,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -96,4 +112,6 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilterxml2firewalldata/iter2-linux.args
index 7f2b0e4565..8a98495865 100644
--- a/tests/nwfilterxml2firewalldata/iter2-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
@@ -8,6 +8,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -30,6 +34,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -52,6 +60,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -74,6 +86,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -96,6 +112,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -107,6 +125,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -118,6 +138,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -129,6 +151,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -140,6 +164,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -151,6 +177,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -162,6 +190,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -173,6 +203,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -184,6 +216,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -195,6 +229,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -206,6 +242,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -217,6 +255,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -228,6 +268,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -239,6 +281,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -250,6 +294,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -261,6 +307,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -272,6 +320,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -283,6 +333,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -294,6 +346,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -306,6 +360,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -318,6 +374,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -330,6 +388,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -342,6 +402,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -354,6 +416,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -366,6 +430,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -378,6 +444,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -390,6 +458,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -402,6 +472,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -414,6 +486,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -426,6 +500,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -438,6 +514,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -450,6 +528,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -462,6 +542,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -474,6 +556,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -486,6 +570,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -498,6 +584,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -510,6 +598,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -522,6 +612,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -534,6 +626,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -546,6 +640,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -558,6 +654,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -570,6 +668,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -582,6 +682,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -594,6 +696,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -606,6 +710,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -618,6 +724,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -630,6 +738,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -642,6 +752,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -654,6 +766,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -666,6 +780,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -678,6 +794,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -690,6 +808,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -702,6 +822,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -714,6 +836,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -726,6 +850,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -738,6 +864,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -750,6 +878,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -762,6 +892,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -774,6 +906,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -786,6 +920,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -798,6 +934,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -810,6 +948,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -822,6 +962,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -834,6 +976,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -846,6 +990,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -858,6 +1004,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -870,6 +1018,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -882,6 +1032,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -894,6 +1046,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -906,6 +1060,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -918,6 +1074,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -930,6 +1088,8 @@ iptables \
--sport 1080 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -942,6 +1102,8 @@ iptables \
--dport 1080 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -954,6 +1116,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -966,6 +1130,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -978,6 +1144,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -990,6 +1158,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1002,6 +1172,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1014,6 +1186,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1026,6 +1200,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1038,6 +1214,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1050,6 +1228,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1062,6 +1242,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1074,6 +1256,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1086,6 +1270,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1098,6 +1284,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1110,6 +1298,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1122,6 +1312,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1134,6 +1326,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1146,6 +1340,8 @@ iptables \
--sport 1090 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1158,6 +1354,8 @@ iptables \
--dport 1090 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1170,6 +1368,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1182,6 +1382,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1194,6 +1396,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1206,6 +1410,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1218,6 +1424,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1230,6 +1438,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1242,6 +1452,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1254,6 +1466,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1266,6 +1480,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1278,6 +1494,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1290,6 +1508,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1302,6 +1522,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1314,6 +1536,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1326,6 +1550,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1338,6 +1564,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1350,6 +1578,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1362,6 +1592,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1374,6 +1606,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1386,6 +1620,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1398,6 +1634,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1410,6 +1648,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1422,6 +1662,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1434,6 +1676,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1446,6 +1690,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1458,6 +1704,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1470,6 +1718,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1482,6 +1732,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1494,6 +1746,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1506,6 +1760,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1518,6 +1774,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1530,6 +1788,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1542,6 +1802,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1554,6 +1816,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1566,6 +1830,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1578,6 +1844,8 @@ iptables \
--sport 1110 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1590,6 +1858,8 @@ iptables \
--dport 1110 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1601,6 +1871,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1612,6 +1884,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1623,6 +1897,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1634,6 +1910,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1645,6 +1923,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1656,6 +1936,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1667,6 +1949,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1678,6 +1962,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1689,6 +1975,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1700,6 +1988,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1711,6 +2001,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1722,6 +2014,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1733,6 +2027,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1744,6 +2040,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1755,6 +2053,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1766,6 +2066,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1777,6 +2079,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1788,6 +2092,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1799,6 +2105,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1810,6 +2118,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1821,6 +2131,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1832,6 +2144,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1843,6 +2157,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1854,6 +2170,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1865,6 +2183,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1876,6 +2196,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1887,6 +2209,8 @@ iptables \
--dscp 5 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1898,6 +2222,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1909,6 +2235,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1920,6 +2248,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1931,6 +2261,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1942,6 +2274,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1953,6 +2287,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1964,6 +2300,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -1975,6 +2313,8 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -1986,4 +2326,6 @@ iptables \
--dscp 6 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilterxml2firewalldata/iter3-linux.args
index 1bc769bcd4..fa99e2d8d9 100644
--- a/tests/nwfilterxml2firewalldata/iter3-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
@@ -8,6 +8,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -30,6 +34,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -52,6 +60,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -74,6 +86,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -96,6 +112,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -107,6 +125,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -118,6 +138,8 @@ iptables \
--dport 90 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -129,6 +151,8 @@ iptables \
--sport 90 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -141,6 +165,8 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -153,6 +179,8 @@ iptables \
--sport 1100 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -165,4 +193,6 @@ iptables \
--dport 1100 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
index 55b2b10037..7d698e127a 100644
--- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
@@ -9,6 +9,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -19,6 +21,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -31,6 +35,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -43,6 +49,8 @@ ip6tables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -57,6 +65,8 @@ ip6tables \
--dport 100:1111 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -69,6 +79,8 @@ ip6tables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -81,6 +93,8 @@ ip6tables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -95,6 +109,8 @@ ip6tables \
--dport 65535:65535 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -107,4 +123,6 @@ ip6tables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilterxml2firewalldata/sctp-linux.args
index 881f70ed72..2164cd947d 100644
--- a/tests/nwfilterxml2firewalldata/sctp-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -43,6 +49,8 @@ iptables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -57,6 +65,8 @@ iptables \
--dport 100:1111 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -69,6 +79,8 @@ iptables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -81,6 +93,8 @@ iptables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -95,6 +109,8 @@ iptables \
--dport 65535:65535 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -107,4 +123,6 @@ iptables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfilterxml2firewalldata/target-linux.args
index 54d97307d9..59d8653731 100644
--- a/tests/nwfilterxml2firewalldata/target-linux.args
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
@@ -51,6 +51,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'accept rule -- dir out' \
-j RETURN
@@ -63,6 +65,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'accept rule -- dir out' \
-j ACCEPT
@@ -77,6 +81,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'accept rule -- dir out' \
-j RETURN
@@ -157,6 +163,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'accept rule -- dir in' \
-j RETURN
@@ -171,6 +179,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-m comment \
--comment 'accept rule -- dir in' \
-j ACCEPT
@@ -183,6 +193,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-m comment \
--comment 'accept rule -- dir in' \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfilterxml2firewalldata/target2-linux.args
index 915f1ebb2b..15bca603cf 100644
--- a/tests/nwfilterxml2firewalldata/target2-linux.args
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
@@ -23,6 +23,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -31,6 +33,8 @@ iptables \
--dport 80 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -39,6 +43,8 @@ iptables \
--sport 80 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
index 9463d5a4c4..767bd12bb1 100644
--- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
@@ -9,6 +9,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -19,6 +21,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -31,6 +35,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -43,6 +49,8 @@ ip6tables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -57,6 +65,8 @@ ip6tables \
--dport 100:1111 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -69,6 +79,8 @@ ip6tables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -81,6 +93,8 @@ ip6tables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -95,6 +109,8 @@ ip6tables \
--dport 65535:65535 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -107,4 +123,6 @@ ip6tables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilterxml2firewalldata/tcp-linux.args
index ae2d05a753..d3a18295ac 100644
--- a/tests/nwfilterxml2firewalldata/tcp-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
index 1df20ae139..c5f60e474f 100644
--- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
@@ -9,6 +9,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -19,6 +21,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -31,6 +35,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -43,6 +49,8 @@ ip6tables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -57,6 +65,8 @@ ip6tables \
--dport 100:1111 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -69,6 +79,8 @@ ip6tables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -81,6 +93,8 @@ ip6tables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -95,6 +109,8 @@ ip6tables \
--dport 65535:65535 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -107,4 +123,6 @@ ip6tables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilterxml2firewalldata/udp-linux.args
index 0a04a636ae..7abeec7c7b 100644
--- a/tests/nwfilterxml2firewalldata/udp-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -43,6 +49,8 @@ iptables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -57,6 +65,8 @@ iptables \
--dport 100:1111 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -69,6 +79,8 @@ iptables \
--sport 100:1111 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -81,6 +93,8 @@ iptables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -95,6 +109,8 @@ iptables \
--dport 65535:65535 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -107,4 +123,6 @@ iptables \
--sport 65535:65535 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
index 4c1d254ba8..a293623140 100644
--- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
@@ -10,6 +10,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -21,6 +23,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
ip6tables \
-w \
@@ -34,6 +38,8 @@ ip6tables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
ip6tables \
-w \
@@ -44,6 +50,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -56,6 +64,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -66,6 +76,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -76,6 +88,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
ip6tables \
-w \
@@ -88,6 +102,8 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
ip6tables \
-w \
@@ -98,4 +114,6 @@ ip6tables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfilterxml2firewalldata/udplite-linux.args
index 7e85aaf15d..037c6d6455 100644
--- a/tests/nwfilterxml2firewalldata/udplite-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
@@ -9,6 +9,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -19,6 +21,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j ACCEPT
iptables \
-w \
@@ -31,6 +35,8 @@ iptables \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j RETURN
iptables \
-w \
@@ -41,6 +47,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -53,6 +61,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -63,6 +73,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -73,6 +85,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
iptables \
-w \
@@ -85,6 +99,8 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
+-m conntrack \
+--ctdir Original \
-j ACCEPT
iptables \
-w \
@@ -95,4 +111,6 @@ iptables \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
+-m conntrack \
+--ctdir Reply \
-j RETURN
--
2.35.1
More information about the libvir-list
mailing list