diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 9bdefb1564..177fd64049 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -64,17 +64,6 @@ VIR_LOG_INIT("nwfilter.nwfilter_ebiptables_driver"); #define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */ -/* - * --ctdir original vs. --ctdir reply's meaning was inverted in netfilter - * at some point (Linux 2.6.39) - */ -enum ctdirStatus { - CTDIR_STATUS_UNKNOWN = 0, - CTDIR_STATUS_CORRECTED = 1, - CTDIR_STATUS_OLD = 2, -}; -static enum ctdirStatus iptables_ctdir_corrected; - #define PRINT_ROOT_CHAIN(buf, prefix, ifname) \ g_snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname) #define PRINT_CHAIN(buf, prefix, ifname, suffix) \ @@ -1088,24 +1077,13 @@ iptablesEnforceDirection(virFirewall *fw, bool directionIn, virNWFilterRuleDef *rule) { - switch (iptables_ctdir_corrected) { - case CTDIR_STATUS_UNKNOWN: - /* could not be determined or s.th. is seriously wrong */ - return; - case CTDIR_STATUS_CORRECTED: - directionIn = !directionIn; - break; - case CTDIR_STATUS_OLD: - break; - } - if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT) virFirewallRuleAddArgList(fw, fwrule, "-m", "conntrack", "--ctdir", (directionIn ? - "Original" : - "Reply"), + "Reply" : + "Original"), NULL); } @@ -3633,41 +3611,12 @@ virNWFilterTechDriver ebiptables_driver = { .removeBasicRules = ebtablesRemoveBasicRules, }; -static void -ebiptablesDriverProbeCtdir(void) -{ - struct utsname utsname; - unsigned long thisversion; - - iptables_ctdir_corrected = CTDIR_STATUS_UNKNOWN; - - if (uname(&utsname) < 0) { - VIR_ERROR(_("Call to utsname failed: %d"), errno); - return; - } - - /* following Linux lxr, the logic was inverted in 2.6.39 */ - if (virStringParseVersion(&thisversion, utsname.release, true) < 0) { - VIR_ERROR(_("Could not determine kernel version from string %s"), - utsname.release); - return; - } - - if (thisversion >= 2 * 1000000 + 6 * 1000 + 39) - iptables_ctdir_corrected = CTDIR_STATUS_CORRECTED; - else - iptables_ctdir_corrected = CTDIR_STATUS_OLD; -} - - static int ebiptablesDriverInit(bool privileged) { if (!privileged) return 0; - ebiptablesDriverProbeCtdir(); - ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED; return 0; diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args index d36d63741a..e71284195d 100644 --- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterxml2firewalldata/ah-linux.args index 886ccfb050..014f862a45 100644 --- a/tests/nwfilterxml2firewalldata/ah-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args index 732627c546..37b7d8f70a 100644 --- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilterxml2firewalldata/all-linux.args index a2bc6996d7..ac7cf71ce5 100644 --- a/tests/nwfilterxml2firewalldata/all-linux.args +++ b/tests/nwfilterxml2firewalldata/all-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfilterxml2firewalldata/comment-linux.args index 052b607cb2..7d1730dded 100644 --- a/tests/nwfilterxml2firewalldata/comment-linux.args +++ b/tests/nwfilterxml2firewalldata/comment-linux.args @@ -57,6 +57,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'udp rule' \ -j RETURN @@ -71,6 +73,8 @@ iptables \ --sport 564:1092 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'udp rule' \ -j ACCEPT @@ -87,6 +91,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'udp rule' \ -j RETURN @@ -101,6 +107,8 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tcp/ipv6 rule' \ -j RETURN @@ -117,6 +125,8 @@ ip6tables \ --dport 256:4369 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'tcp/ipv6 rule' \ -j ACCEPT @@ -131,6 +141,8 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tcp/ipv6 rule' \ -j RETURN @@ -140,6 +152,8 @@ ip6tables \ -p udp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN @@ -149,6 +163,8 @@ ip6tables \ -p udp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j ACCEPT @@ -158,6 +174,8 @@ ip6tables \ -p udp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN @@ -167,6 +185,8 @@ ip6tables \ -p sctp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN @@ -176,6 +196,8 @@ ip6tables \ -p sctp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j ACCEPT @@ -185,6 +207,8 @@ ip6tables \ -p sctp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN @@ -194,6 +218,8 @@ ip6tables \ -p ah \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \ -j RETURN @@ -203,6 +229,8 @@ ip6tables \ -p ah \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \ -j ACCEPT @@ -212,6 +240,8 @@ ip6tables \ -p ah \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nwfilterxml2firewalldata/conntrack-linux.args index 4e7652e293..af88246cc7 100644 --- a/tests/nwfilterxml2firewalldata/conntrack-linux.args +++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args @@ -32,6 +32,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -39,6 +41,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -46,4 +50,6 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args index be58a3f04b..363dc7684c 100644 --- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilterxml2firewalldata/esp-linux.args index f8626282e4..0d2580603a 100644 --- a/tests/nwfilterxml2firewalldata/esp-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nwfilterxml2firewalldata/example-1-linux.args index 32ffb8edfa..bc46b4be78 100644 --- a/tests/nwfilterxml2firewalldata/example-1-linux.args +++ b/tests/nwfilterxml2firewalldata/example-1-linux.args @@ -5,6 +5,8 @@ iptables \ --sport 22 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -13,6 +15,8 @@ iptables \ --dport 22 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -21,6 +25,8 @@ iptables \ --sport 22 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -28,6 +34,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -35,6 +43,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -42,6 +52,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -49,6 +61,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -56,6 +70,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +79,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwfilterxml2firewalldata/hex-data-linux.args index 8b09922a65..b677f4d676 100644 --- a/tests/nwfilterxml2firewalldata/hex-data-linux.args +++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args @@ -57,6 +57,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -69,6 +71,8 @@ iptables \ --sport 564:1092 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -83,6 +87,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -95,6 +101,8 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -109,6 +117,8 @@ ip6tables \ --dport 256:4369 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -121,4 +131,6 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args index 1fc7993908..1731d5e27f 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args @@ -4,6 +4,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -11,6 +13,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -18,6 +22,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilterxml2firewalldata/igmp-linux.args index c0add2539b..b85bfaffe8 100644 --- a/tests/nwfilterxml2firewalldata/igmp-linux.args +++ b/tests/nwfilterxml2firewalldata/igmp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilterxml2firewalldata/ipset-linux.args index 6848f64541..7f6d9bd913 100644 --- a/tests/nwfilterxml2firewalldata/ipset-linux.args +++ b/tests/nwfilterxml2firewalldata/ipset-linux.args @@ -4,6 +4,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst \ -j RETURN @@ -13,6 +15,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src \ -j ACCEPT @@ -22,6 +26,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst \ -j RETURN @@ -58,6 +64,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -67,6 +75,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst,src \ -j ACCEPT @@ -76,6 +86,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -85,6 +97,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -94,6 +108,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst,src \ -j ACCEPT @@ -103,6 +119,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -112,6 +130,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src \ -j RETURN @@ -121,6 +141,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst \ -j ACCEPT @@ -130,6 +152,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilterxml2firewalldata/iter1-linux.args index e50c768f67..23ac375d9c 100644 --- a/tests/nwfilterxml2firewalldata/iter1-linux.args +++ b/tests/nwfilterxml2firewalldata/iter1-linux.args @@ -8,6 +8,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -30,6 +34,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -52,6 +60,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -74,6 +86,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -96,4 +112,6 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilterxml2firewalldata/iter2-linux.args index 7f2b0e4565..8a98495865 100644 --- a/tests/nwfilterxml2firewalldata/iter2-linux.args +++ b/tests/nwfilterxml2firewalldata/iter2-linux.args @@ -8,6 +8,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -30,6 +34,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -52,6 +60,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -74,6 +86,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -96,6 +112,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -107,6 +125,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -118,6 +138,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -129,6 +151,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -140,6 +164,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -151,6 +177,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -162,6 +190,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -173,6 +203,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -184,6 +216,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -195,6 +229,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -206,6 +242,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -217,6 +255,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -228,6 +268,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -239,6 +281,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -250,6 +294,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -261,6 +307,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -272,6 +320,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -283,6 +333,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -294,6 +346,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -306,6 +360,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -318,6 +374,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -330,6 +388,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -342,6 +402,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -354,6 +416,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -366,6 +430,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -378,6 +444,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -390,6 +458,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -402,6 +472,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -414,6 +486,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -426,6 +500,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -438,6 +514,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -450,6 +528,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -462,6 +542,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -474,6 +556,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -486,6 +570,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -498,6 +584,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -510,6 +598,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -522,6 +612,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -534,6 +626,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -546,6 +640,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -558,6 +654,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -570,6 +668,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -582,6 +682,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -594,6 +696,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -606,6 +710,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -618,6 +724,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -630,6 +738,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -642,6 +752,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -654,6 +766,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -666,6 +780,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -678,6 +794,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -690,6 +808,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -702,6 +822,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -714,6 +836,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -726,6 +850,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -738,6 +864,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -750,6 +878,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -762,6 +892,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -774,6 +906,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -786,6 +920,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -798,6 +934,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -810,6 +948,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -822,6 +962,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -834,6 +976,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -846,6 +990,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -858,6 +1004,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -870,6 +1018,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -882,6 +1032,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -894,6 +1046,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -906,6 +1060,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -918,6 +1074,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -930,6 +1088,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -942,6 +1102,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -954,6 +1116,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -966,6 +1130,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -978,6 +1144,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -990,6 +1158,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1002,6 +1172,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1014,6 +1186,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1026,6 +1200,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1038,6 +1214,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1050,6 +1228,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1062,6 +1242,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1074,6 +1256,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1086,6 +1270,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1098,6 +1284,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1110,6 +1298,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1122,6 +1312,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1134,6 +1326,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1146,6 +1340,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1158,6 +1354,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1170,6 +1368,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1182,6 +1382,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1194,6 +1396,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1206,6 +1410,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1218,6 +1424,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1230,6 +1438,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1242,6 +1452,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1254,6 +1466,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1266,6 +1480,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1278,6 +1494,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1290,6 +1508,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1302,6 +1522,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1314,6 +1536,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1326,6 +1550,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1338,6 +1564,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1350,6 +1578,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1362,6 +1592,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1374,6 +1606,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1386,6 +1620,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1398,6 +1634,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1410,6 +1648,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1422,6 +1662,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1434,6 +1676,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1446,6 +1690,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1458,6 +1704,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1470,6 +1718,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1482,6 +1732,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1494,6 +1746,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1506,6 +1760,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1518,6 +1774,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1530,6 +1788,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1542,6 +1802,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1554,6 +1816,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1566,6 +1830,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1578,6 +1844,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1590,6 +1858,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1601,6 +1871,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1612,6 +1884,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1623,6 +1897,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1634,6 +1910,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1645,6 +1923,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1656,6 +1936,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1667,6 +1949,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1678,6 +1962,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1689,6 +1975,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1700,6 +1988,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1711,6 +2001,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1722,6 +2014,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1733,6 +2027,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1744,6 +2040,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1755,6 +2053,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1766,6 +2066,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1777,6 +2079,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1788,6 +2092,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1799,6 +2105,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1810,6 +2118,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1821,6 +2131,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1832,6 +2144,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1843,6 +2157,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1854,6 +2170,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1865,6 +2183,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1876,6 +2196,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1887,6 +2209,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1898,6 +2222,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1909,6 +2235,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1920,6 +2248,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1931,6 +2261,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1942,6 +2274,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1953,6 +2287,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1964,6 +2300,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1975,6 +2313,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1986,4 +2326,6 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilterxml2firewalldata/iter3-linux.args index 1bc769bcd4..fa99e2d8d9 100644 --- a/tests/nwfilterxml2firewalldata/iter3-linux.args +++ b/tests/nwfilterxml2firewalldata/iter3-linux.args @@ -8,6 +8,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -30,6 +34,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -52,6 +60,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -74,6 +86,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -96,6 +112,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -107,6 +125,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -118,6 +138,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -129,6 +151,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -141,6 +165,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -153,6 +179,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -165,4 +193,6 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args index 55b2b10037..7d698e127a 100644 --- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args @@ -9,6 +9,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -19,6 +21,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -31,6 +35,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -43,6 +49,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -57,6 +65,8 @@ ip6tables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -69,6 +79,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -81,6 +93,8 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -95,6 +109,8 @@ ip6tables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -107,4 +123,6 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilterxml2firewalldata/sctp-linux.args index 881f70ed72..2164cd947d 100644 --- a/tests/nwfilterxml2firewalldata/sctp-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -43,6 +49,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -57,6 +65,8 @@ iptables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -69,6 +79,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -81,6 +93,8 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -95,6 +109,8 @@ iptables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -107,4 +123,6 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfilterxml2firewalldata/target-linux.args index 54d97307d9..59d8653731 100644 --- a/tests/nwfilterxml2firewalldata/target-linux.args +++ b/tests/nwfilterxml2firewalldata/target-linux.args @@ -51,6 +51,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'accept rule -- dir out' \ -j RETURN @@ -63,6 +65,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'accept rule -- dir out' \ -j ACCEPT @@ -77,6 +81,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'accept rule -- dir out' \ -j RETURN @@ -157,6 +163,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'accept rule -- dir in' \ -j RETURN @@ -171,6 +179,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'accept rule -- dir in' \ -j ACCEPT @@ -183,6 +193,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'accept rule -- dir in' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfilterxml2firewalldata/target2-linux.args index 915f1ebb2b..15bca603cf 100644 --- a/tests/nwfilterxml2firewalldata/target2-linux.args +++ b/tests/nwfilterxml2firewalldata/target2-linux.args @@ -23,6 +23,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -31,6 +33,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -39,6 +43,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args index 9463d5a4c4..767bd12bb1 100644 --- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args @@ -9,6 +9,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -19,6 +21,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -31,6 +35,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -43,6 +49,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -57,6 +65,8 @@ ip6tables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -69,6 +79,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -81,6 +93,8 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -95,6 +109,8 @@ ip6tables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -107,4 +123,6 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilterxml2firewalldata/tcp-linux.args index ae2d05a753..d3a18295ac 100644 --- a/tests/nwfilterxml2firewalldata/tcp-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args index 1df20ae139..c5f60e474f 100644 --- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args @@ -9,6 +9,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -19,6 +21,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -31,6 +35,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -43,6 +49,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -57,6 +65,8 @@ ip6tables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -69,6 +79,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -81,6 +93,8 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -95,6 +109,8 @@ ip6tables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -107,4 +123,6 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilterxml2firewalldata/udp-linux.args index 0a04a636ae..7abeec7c7b 100644 --- a/tests/nwfilterxml2firewalldata/udp-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -43,6 +49,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -57,6 +65,8 @@ iptables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -69,6 +79,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -81,6 +93,8 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -95,6 +109,8 @@ iptables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -107,4 +123,6 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args index 4c1d254ba8..a293623140 100644 --- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfilterxml2firewalldata/udplite-linux.args index 7e85aaf15d..037c6d6455 100644 --- a/tests/nwfilterxml2firewalldata/udplite-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN