From nobody Sun May 19 03:12:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1646762018; cv=none; d=zohomail.com; s=zohoarc; b=dfR7eMUyeH80aaKJ2W5lFhKbeSWHTFn69SILaiOnCCjSrb7YA4dxmv0j9nlPbIcqPon35t7cyTZqJla9QJBokLPHbK/JKQ6q46Vz7h0q7f1EgDE+AG627t2hQCJqNsyQaqE3NgOLaQTOwF9dj644DXD/kA99tvKKro77qsf9Buc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1646762018; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4ZDadyCDdXTsrItGXxOYWzbOSHB/13xJ/7R7sjgl6mU=; b=gkwy7kKSqSsAqseQdOABOQQXypHQOCIWX1mm0mjU1Rx0RwhsdALz7eaSaK1H3n7bRkK250XgNnsNkeKfMr14XyXhwT6+JDVDxBcmIWY6iqXv6OLs3OEA+Lo27wMLJhiAfZnXBJSQof9Sv92S5wd6sXHVnsS5wYxFHIt3mjDHbtg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1646762018670473.1196541000261; Tue, 8 Mar 2022 09:53:38 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-222-M3jZlnYwN9eDZpSj631SQw-1; Tue, 08 Mar 2022 12:53:34 -0500 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 273AF811E75; Tue, 8 Mar 2022 17:53:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 08A0D7BB87B; Tue, 8 Mar 2022 17:53:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C789E193211B; Tue, 8 Mar 2022 17:53:31 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 00B83194F4AE for ; Tue, 8 Mar 2022 17:53:29 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A3CAA106F959; Tue, 8 Mar 2022 17:53:29 +0000 (UTC) Received: from domokun.gsslab.fab.redhat.com (gx270-2.gsslab.fab.redhat.com [10.33.8.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 90D06106F957; Tue, 8 Mar 2022 17:53:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646762017; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=4ZDadyCDdXTsrItGXxOYWzbOSHB/13xJ/7R7sjgl6mU=; b=GsgU96nYx6Y0K58zOpg+fTHZcqF06SpgJvjUsSZltTQI/dds3deC8jYBOkv+r38RIfosGQ +wfPC5it/iH6Prj7jsUhQGALnqQY4Ke1oAH+sgnX9HLM22xmirqx02nScer4HSHkY+ZxW7 0HodBV0qGxLvQd+kEa9v3EfvwpX8rUY= X-MC-Unique: M3jZlnYwN9eDZpSj631SQw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 1/2] nwfilter: drop support for legacy iptables match syntax Date: Tue, 8 Mar 2022 17:52:41 +0000 Message-Id: <20220308175242.771524-2-berrange@redhat.com> In-Reply-To: <20220308175242.771524-1-berrange@redhat.com> References: <20220308175242.771524-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1646762019845100001 Long ago we adapted to iptables changes by introducing support for '-m conntrack': commit 06844ccbaa8544d7d08d568aff37bc4e3648f304 Author: Stefan Berger Date: Tue Aug 6 20:30:46 2013 -0400 nwfilter: Use -m conntrack rather than -m state Since iptables version 1.4.16 '-m state --state NEW' is converted to '-m conntrack --ctstate NEW'. Therefore, when encountering this or later versions of iptables use '-m conntrack --ctstate'. Given our supported platform targets, we no longer need to consider a version of iptables before 1.4.16, so can drop support for the old syntax. The test suite updates are triggered because that never probed for the new syntax, and so unconditionally generated the old syntax. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/nwfilter/nwfilter_ebiptables_driver.c | 73 +- .../ah-ipv6-linux.args | 36 +- tests/nwfilterxml2firewalldata/ah-linux.args | 36 +- .../all-ipv6-linux.args | 36 +- tests/nwfilterxml2firewalldata/all-linux.args | 36 +- .../comment-linux.args | 60 +- .../conntrack-linux.args | 12 +- .../esp-ipv6-linux.args | 36 +- tests/nwfilterxml2firewalldata/esp-linux.args | 36 +- .../example-1-linux.args | 36 +- .../example-2-linux.args | 28 +- .../hex-data-linux.args | 24 +- .../icmp-direction-linux.args | 12 +- .../icmp-direction2-linux.args | 12 +- .../icmp-direction3-linux.args | 12 +- .../nwfilterxml2firewalldata/icmp-linux.args | 12 +- .../icmpv6-linux.args | 16 +- .../nwfilterxml2firewalldata/igmp-linux.args | 36 +- .../nwfilterxml2firewalldata/ipset-linux.args | 48 +- .../nwfilterxml2firewalldata/iter1-linux.args | 36 +- .../nwfilterxml2firewalldata/iter2-linux.args | 684 +++++++++--------- .../nwfilterxml2firewalldata/iter3-linux.args | 60 +- .../sctp-ipv6-linux.args | 36 +- .../nwfilterxml2firewalldata/sctp-linux.args | 36 +- .../target-linux.args | 24 +- .../target2-linux.args | 12 +- .../tcp-ipv6-linux.args | 36 +- tests/nwfilterxml2firewalldata/tcp-linux.args | 12 +- .../udp-ipv6-linux.args | 36 +- tests/nwfilterxml2firewalldata/udp-linux.args | 36 +- .../udplite-ipv6-linux.args | 36 +- .../udplite-linux.args | 36 +- 32 files changed, 806 insertions(+), 871 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 54065a0f75..9bdefb1564 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -88,8 +88,6 @@ static enum ctdirStatus iptables_ctdir_corrected; #define PRINT_IPT_ROOT_CHAIN(buf, prefix, ifname) \ g_snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname) =20 -static bool newMatchState; - #define MATCH_PHYSDEV_IN_FW "-m", "physdev", "--physdev-in" #define MATCH_PHYSDEV_OUT_FW "-m", "physdev", "--physdev-is-bridged", "--= physdev-out" #define MATCH_PHYSDEV_OUT_OLD_FW "-m", "physdev", "--physdev-out" @@ -1489,16 +1487,10 @@ _iptablesCreateRuleInstance(virFirewall *fw, } =20 if (match && !skipMatch) { - if (newMatchState) - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctstate", match, - NULL); - else - virFirewallRuleAddArgList(fw, fwrule, - "-m", "state", - "--state", match, - NULL); + virFirewallRuleAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctstate", match, + NULL); } =20 if (defMatch && match !=3D NULL && !skipMatch && !hasICMPType) @@ -3668,61 +3660,6 @@ ebiptablesDriverProbeCtdir(void) } =20 =20 -static int -ebiptablesDriverProbeStateMatchQuery(virFirewall *fw G_GNUC_UNUSED, - virFirewallLayer layer G_GNUC_UNUSED, - const char *const *lines, - void *opaque) -{ - unsigned long *version =3D opaque; - char *tmp; - - if (!lines || !lines[0]) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("No output from iptables --version")); - return -1; - } - - /* - * we expect output in the format - * 'iptables v1.4.16' - */ - if (!(tmp =3D strchr(lines[0], 'v')) || - virStringParseVersion(version, tmp + 1, true) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Cannot parse version string '%s'"), - lines[0]); - return -1; - } - - return 0; -} - - -static int -ebiptablesDriverProbeStateMatch(void) -{ - unsigned long version; - g_autoptr(virFirewall) fw =3D virFirewallNew(); - - virFirewallStartTransaction(fw, 0); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, ebiptablesDriverProbeStateMatchQuery, &v= ersion, - "--version", NULL); - - if (virFirewallApply(fw) < 0) - return -1; - - /* - * since version 1.4.16 '-m state --state ...' will be converted to - * '-m conntrack --ctstate ...' - */ - if (version >=3D 1 * 1000000 + 4 * 1000 + 16) - newMatchState =3D true; - - return 0; -} - static int ebiptablesDriverInit(bool privileged) { @@ -3730,8 +3667,6 @@ ebiptablesDriverInit(bool privileged) return 0; =20 ebiptablesDriverProbeCtdir(); - if (ebiptablesDriverProbeStateMatch() < 0) - return -1; =20 ebiptables_driver.flags =3D TECHDRV_FLAG_INITIALIZED; =20 diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfi= lterxml2firewalldata/ah-ipv6-linux.args index f0bf85e8a1..d36d63741a 100644 --- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args @@ -8,8 +8,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -19,8 +19,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -32,8 +32,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -42,8 +42,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -54,8 +54,8 @@ ip6tables \ --source a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -64,8 +64,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -74,8 +74,8 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -86,8 +86,8 @@ ip6tables \ --source ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -96,6 +96,6 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterx= ml2firewalldata/ah-linux.args index c7e5c1eb17..886ccfb050 100644 --- a/tests/nwfilterxml2firewalldata/ah-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -51,8 +51,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -71,8 +71,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -93,6 +93,6 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/all-ipv6-linux.args index 5eb6033c64..732627c546 100644 --- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args @@ -8,8 +8,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -19,8 +19,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -32,8 +32,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -42,8 +42,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -54,8 +54,8 @@ ip6tables \ --source a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -64,8 +64,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -74,8 +74,8 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -86,8 +86,8 @@ ip6tables \ --source ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -96,6 +96,6 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilter= xml2firewalldata/all-linux.args index 187d9ed9ca..a2bc6996d7 100644 --- a/tests/nwfilterxml2firewalldata/all-linux.args +++ b/tests/nwfilterxml2firewalldata/all-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -51,8 +51,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -71,8 +71,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -93,6 +93,6 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfi= lterxml2firewalldata/comment-linux.args index 2b940ccd84..052b607cb2 100644 --- a/tests/nwfilterxml2firewalldata/comment-linux.args +++ b/tests/nwfilterxml2firewalldata/comment-linux.args @@ -55,8 +55,8 @@ iptables \ --dscp 34 \ --sport 291:400 \ --dport 564:1092 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'udp rule' \ -j RETURN @@ -69,8 +69,8 @@ iptables \ --dscp 34 \ --dport 291:400 \ --sport 564:1092 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'udp rule' \ -j ACCEPT @@ -85,8 +85,8 @@ iptables \ --dscp 34 \ --sport 291:400 \ --dport 564:1092 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'udp rule' \ -j RETURN @@ -99,8 +99,8 @@ ip6tables \ --dscp 57 \ --dport 32:33 \ --sport 256:4369 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'tcp/ipv6 rule' \ -j RETURN @@ -115,8 +115,8 @@ ip6tables \ --dscp 57 \ --sport 32:33 \ --dport 256:4369 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'tcp/ipv6 rule' \ -j ACCEPT @@ -129,8 +129,8 @@ ip6tables \ --dscp 57 \ --dport 32:33 \ --sport 256:4369 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'tcp/ipv6 rule' \ -j RETURN @@ -138,8 +138,8 @@ ip6tables \ -w \ -A FJ-vnet0 \ -p udp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN @@ -147,8 +147,8 @@ ip6tables \ -w \ -A FP-vnet0 \ -p udp \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j ACCEPT @@ -156,8 +156,8 @@ ip6tables \ -w \ -A HJ-vnet0 \ -p udp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN @@ -165,8 +165,8 @@ ip6tables \ -w \ -A FJ-vnet0 \ -p sctp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN @@ -174,8 +174,8 @@ ip6tables \ -w \ -A FP-vnet0 \ -p sctp \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j ACCEPT @@ -183,8 +183,8 @@ ip6tables \ -w \ -A HJ-vnet0 \ -p sctp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN @@ -192,8 +192,8 @@ ip6tables \ -w \ -A FJ-vnet0 \ -p ah \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'tmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f $= {tmp}' \ -j RETURN @@ -201,8 +201,8 @@ ip6tables \ -w \ -A FP-vnet0 \ -p ah \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'tmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f $= {tmp}' \ -j ACCEPT @@ -210,8 +210,8 @@ ip6tables \ -w \ -A HJ-vnet0 \ -p ah \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'tmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f $= {tmp}' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nw= filterxml2firewalldata/conntrack-linux.args index 78495598a1..4e7652e293 100644 --- a/tests/nwfilterxml2firewalldata/conntrack-linux.args +++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args @@ -30,20 +30,20 @@ iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/esp-ipv6-linux.args index 426bdd3083..be58a3f04b 100644 --- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args @@ -8,8 +8,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -19,8 +19,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -32,8 +32,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -42,8 +42,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -54,8 +54,8 @@ ip6tables \ --source a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -64,8 +64,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -74,8 +74,8 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -86,8 +86,8 @@ ip6tables \ --source ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -96,6 +96,6 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilter= xml2firewalldata/esp-linux.args index 7cd70afaa1..f8626282e4 100644 --- a/tests/nwfilterxml2firewalldata/esp-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -51,8 +51,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -71,8 +71,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -93,6 +93,6 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nw= filterxml2firewalldata/example-1-linux.args index 1cc3746d40..32ffb8edfa 100644 --- a/tests/nwfilterxml2firewalldata/example-1-linux.args +++ b/tests/nwfilterxml2firewalldata/example-1-linux.args @@ -3,66 +3,66 @@ iptables \ -A FJ-vnet0 \ -p tcp \ --sport 22 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ -A FP-vnet0 \ -p tcp \ --dport 22 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ -A HJ-vnet0 \ -p tcp \ --sport 22 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ -A FJ-vnet0 \ -p icmp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ -A FP-vnet0 \ -p icmp \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ -A HJ-vnet0 \ -p icmp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args b/tests/nw= filterxml2firewalldata/example-2-linux.args index 87462ad954..e7247aeb23 100644 --- a/tests/nwfilterxml2firewalldata/example-2-linux.args +++ b/tests/nwfilterxml2firewalldata/example-2-linux.args @@ -2,8 +2,8 @@ iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED,RELATED \ +-m conntrack \ +--ctstate ESTABLISHED,RELATED \ -m comment \ --comment 'out: existing and related (ftp) connections' \ -j RETURN @@ -11,8 +11,8 @@ iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED,RELATED \ +-m conntrack \ +--ctstate ESTABLISHED,RELATED \ -m comment \ --comment 'out: existing and related (ftp) connections' \ -j RETURN @@ -20,8 +20,8 @@ iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'in: existing connections' \ -j ACCEPT @@ -30,8 +30,8 @@ iptables \ -A FP-vnet0 \ -p tcp \ --dport 21:22 \ --m state \ ---state NEW \ +-m conntrack \ +--ctstate NEW \ -m comment \ --comment 'in: ftp and ssh' \ -j ACCEPT @@ -39,8 +39,8 @@ iptables \ -w \ -A FP-vnet0 \ -p icmp \ --m state \ ---state NEW \ +-m conntrack \ +--ctstate NEW \ -m comment \ --comment 'in: icmp' \ -j ACCEPT @@ -49,8 +49,8 @@ iptables \ -A FJ-vnet0 \ -p udp \ --dport 53 \ --m state \ ---state NEW \ +-m conntrack \ +--ctstate NEW \ -m comment \ --comment 'out: DNS lookups' \ -j RETURN @@ -59,8 +59,8 @@ iptables \ -A HJ-vnet0 \ -p udp \ --dport 53 \ --m state \ ---state NEW \ +-m conntrack \ +--ctstate NEW \ -m comment \ --comment 'out: DNS lookups' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwf= ilterxml2firewalldata/hex-data-linux.args index ff8f528c48..8b09922a65 100644 --- a/tests/nwfilterxml2firewalldata/hex-data-linux.args +++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args @@ -55,8 +55,8 @@ iptables \ --dscp 34 \ --sport 291:400 \ --dport 564:1092 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -67,8 +67,8 @@ iptables \ --dscp 34 \ --dport 291:400 \ --sport 564:1092 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -81,8 +81,8 @@ iptables \ --dscp 34 \ --sport 291:400 \ --dport 564:1092 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -93,8 +93,8 @@ ip6tables \ --dscp 57 \ --dport 32:33 \ --sport 256:4369 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -107,8 +107,8 @@ ip6tables \ --dscp 57 \ --sport 32:33 \ --dport 256:4369 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -119,6 +119,6 @@ ip6tables \ --dscp 57 \ --dport 32:33 \ --sport 256:4369 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args b/tes= ts/nwfilterxml2firewalldata/icmp-direction-linux.args index 7548aaeba5..a7ad6ac9d8 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args @@ -3,24 +3,24 @@ iptables \ -A FP-vnet0 \ -p icmp \ --icmp-type 0 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ -A FJ-vnet0 \ -p icmp \ --icmp-type 8 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ -A HJ-vnet0 \ -p icmp \ --icmp-type 8 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args b/te= sts/nwfilterxml2firewalldata/icmp-direction2-linux.args index 026702caee..a1873e7448 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args @@ -3,24 +3,24 @@ iptables \ -A FP-vnet0 \ -p icmp \ --icmp-type 8 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ -A FJ-vnet0 \ -p icmp \ --icmp-type 0 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ -A HJ-vnet0 \ -p icmp \ --icmp-type 0 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/te= sts/nwfilterxml2firewalldata/icmp-direction3-linux.args index 6ee6a4f84a..1fc7993908 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args @@ -2,22 +2,22 @@ iptables \ -w \ -A FJ-vnet0 \ -p icmp \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ -A FP-vnet0 \ -p icmp \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ -A HJ-vnet0 \ -p icmp \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args b/tests/nwfilte= rxml2firewalldata/icmp-linux.args index d688e29213..02f9bf0c06 100644 --- a/tests/nwfilterxml2firewalldata/icmp-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-linux.args @@ -8,8 +8,8 @@ iptables \ -m dscp \ --dscp 2 \ --icmp-type 12/11 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -21,8 +21,8 @@ iptables \ -m dscp \ --dscp 2 \ --icmp-type 12/11 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -34,6 +34,6 @@ iptables \ -m dscp \ --dscp 33 \ --icmp-type 255/255 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args b/tests/nwfil= terxml2firewalldata/icmpv6-linux.args index 5a8546e5c8..b7f184f9b3 100644 --- a/tests/nwfilterxml2firewalldata/icmpv6-linux.args +++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args @@ -9,8 +9,8 @@ ip6tables \ -m dscp \ --dscp 2 \ --icmpv6-type 12/11 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -23,8 +23,8 @@ ip6tables \ -m dscp \ --dscp 2 \ --icmpv6-type 12/11 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -36,8 +36,8 @@ ip6tables \ -m dscp \ --dscp 33 \ --icmpv6-type 255/255 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -49,6 +49,6 @@ ip6tables \ -m dscp \ --dscp 33 \ --icmpv6-type 255/255 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilte= rxml2firewalldata/igmp-linux.args index b954b0ae99..c0add2539b 100644 --- a/tests/nwfilterxml2firewalldata/igmp-linux.args +++ b/tests/nwfilterxml2firewalldata/igmp-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -51,8 +51,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -71,8 +71,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -93,6 +93,6 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilt= erxml2firewalldata/ipset-linux.args index 5cdb151354..6848f64541 100644 --- a/tests/nwfilterxml2firewalldata/ipset-linux.args +++ b/tests/nwfilterxml2firewalldata/ipset-linux.args @@ -2,8 +2,8 @@ iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m set \ --match-set tck_test src,dst \ -j RETURN @@ -11,8 +11,8 @@ iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src \ -j ACCEPT @@ -20,8 +20,8 @@ iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m set \ --match-set tck_test src,dst \ -j RETURN @@ -56,8 +56,8 @@ iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -65,8 +65,8 @@ iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m set \ --match-set tck_test src,dst,src \ -j ACCEPT @@ -74,8 +74,8 @@ iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -83,8 +83,8 @@ iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -92,8 +92,8 @@ iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m set \ --match-set tck_test src,dst,src \ -j ACCEPT @@ -101,8 +101,8 @@ iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -110,8 +110,8 @@ iptables \ -w \ -A FJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src \ -j RETURN @@ -119,8 +119,8 @@ iptables \ -w \ -A FP-vnet0 \ -p all \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m set \ --match-set tck_test src,dst \ -j ACCEPT @@ -128,8 +128,8 @@ iptables \ -w \ -A HJ-vnet0 \ -p all \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m set \ --match-set tck_test dst,src \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilt= erxml2firewalldata/iter1-linux.args index 9bdad18748..e50c768f67 100644 --- a/tests/nwfilterxml2firewalldata/iter1-linux.args +++ b/tests/nwfilterxml2firewalldata/iter1-linux.args @@ -6,8 +6,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -28,8 +28,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -50,8 +50,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -72,8 +72,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -94,6 +94,6 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilt= erxml2firewalldata/iter2-linux.args index b088350ee5..7f2b0e4565 100644 --- a/tests/nwfilterxml2firewalldata/iter2-linux.args +++ b/tests/nwfilterxml2firewalldata/iter2-linux.args @@ -6,8 +6,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ -m dscp \ --dscp 1 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -28,8 +28,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -50,8 +50,8 @@ iptables \ -m dscp \ --dscp 1 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -72,8 +72,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ -m dscp \ --dscp 1 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -94,8 +94,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -105,8 +105,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -116,8 +116,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -127,8 +127,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -138,8 +138,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -149,8 +149,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -160,8 +160,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -171,8 +171,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -182,8 +182,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -193,8 +193,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -204,8 +204,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -215,8 +215,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -226,8 +226,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -237,8 +237,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -248,8 +248,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -259,8 +259,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -270,8 +270,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -281,8 +281,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -292,8 +292,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -304,8 +304,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -316,8 +316,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -328,8 +328,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -340,8 +340,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -352,8 +352,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -364,8 +364,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -376,8 +376,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -388,8 +388,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -400,8 +400,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -412,8 +412,8 @@ iptables \ --dscp 3 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -424,8 +424,8 @@ iptables \ --dscp 3 \ --dport 90 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -436,8 +436,8 @@ iptables \ --dscp 3 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -448,8 +448,8 @@ iptables \ --dscp 3 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -460,8 +460,8 @@ iptables \ --dscp 3 \ --dport 90 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -472,8 +472,8 @@ iptables \ --dscp 3 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -484,8 +484,8 @@ iptables \ --dscp 3 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -496,8 +496,8 @@ iptables \ --dscp 3 \ --dport 90 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -508,8 +508,8 @@ iptables \ --dscp 3 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -520,8 +520,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -532,8 +532,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -544,8 +544,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -556,8 +556,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -568,8 +568,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -580,8 +580,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -592,8 +592,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -604,8 +604,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -616,8 +616,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -628,8 +628,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -640,8 +640,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -652,8 +652,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -664,8 +664,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -676,8 +676,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -688,8 +688,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -700,8 +700,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -712,8 +712,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -724,8 +724,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -736,8 +736,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -748,8 +748,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -760,8 +760,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -772,8 +772,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -784,8 +784,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -796,8 +796,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -808,8 +808,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -820,8 +820,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -832,8 +832,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -844,8 +844,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -856,8 +856,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -868,8 +868,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -880,8 +880,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -892,8 +892,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -904,8 +904,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -916,8 +916,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -928,8 +928,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1080 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -940,8 +940,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1080 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -952,8 +952,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -964,8 +964,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -976,8 +976,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -988,8 +988,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1000,8 +1000,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1012,8 +1012,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1024,8 +1024,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1036,8 +1036,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1048,8 +1048,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1060,8 +1060,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1072,8 +1072,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1084,8 +1084,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1096,8 +1096,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1108,8 +1108,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1120,8 +1120,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1132,8 +1132,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1144,8 +1144,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1090 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1156,8 +1156,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1090 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1168,8 +1168,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1180,8 +1180,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1192,8 +1192,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1204,8 +1204,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1216,8 +1216,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1228,8 +1228,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1240,8 +1240,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1252,8 +1252,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1264,8 +1264,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1276,8 +1276,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1288,8 +1288,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1300,8 +1300,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1312,8 +1312,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1324,8 +1324,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1336,8 +1336,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1348,8 +1348,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1360,8 +1360,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1372,8 +1372,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1384,8 +1384,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1396,8 +1396,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1408,8 +1408,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1420,8 +1420,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1432,8 +1432,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1444,8 +1444,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1456,8 +1456,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1468,8 +1468,8 @@ iptables \ --dscp 4 \ --dport 80 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1480,8 +1480,8 @@ iptables \ --dscp 4 \ --sport 80 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1492,8 +1492,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1504,8 +1504,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1516,8 +1516,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1528,8 +1528,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1540,8 +1540,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1552,8 +1552,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1564,8 +1564,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1576,8 +1576,8 @@ iptables \ --dscp 4 \ --dport 90 \ --sport 1110 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1588,8 +1588,8 @@ iptables \ --dscp 4 \ --sport 90 \ --dport 1110 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1599,8 +1599,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1610,8 +1610,8 @@ iptables \ --source 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1621,8 +1621,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1632,8 +1632,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1643,8 +1643,8 @@ iptables \ --source 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1654,8 +1654,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1665,8 +1665,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1676,8 +1676,8 @@ iptables \ --source 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1687,8 +1687,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1698,8 +1698,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1709,8 +1709,8 @@ iptables \ --source 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1720,8 +1720,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1731,8 +1731,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1742,8 +1742,8 @@ iptables \ --source 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1753,8 +1753,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1764,8 +1764,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1775,8 +1775,8 @@ iptables \ --source 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1786,8 +1786,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1797,8 +1797,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1808,8 +1808,8 @@ iptables \ --source 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1819,8 +1819,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1830,8 +1830,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1841,8 +1841,8 @@ iptables \ --source 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1852,8 +1852,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1863,8 +1863,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1874,8 +1874,8 @@ iptables \ --source 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1885,8 +1885,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 5 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1896,8 +1896,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 6 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1907,8 +1907,8 @@ iptables \ --source 1.1.1.1 \ -m dscp \ --dscp 6 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1918,8 +1918,8 @@ iptables \ --destination 1.1.1.1 \ -m dscp \ --dscp 6 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1929,8 +1929,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 6 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1940,8 +1940,8 @@ iptables \ --source 2.2.2.2 \ -m dscp \ --dscp 6 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1951,8 +1951,8 @@ iptables \ --destination 2.2.2.2 \ -m dscp \ --dscp 6 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1962,8 +1962,8 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 6 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -1973,8 +1973,8 @@ iptables \ --source 3.3.3.3 \ -m dscp \ --dscp 6 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -1984,6 +1984,6 @@ iptables \ --destination 3.3.3.3 \ -m dscp \ --dscp 6 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilt= erxml2firewalldata/iter3-linux.args index cc6d442c75..1bc769bcd4 100644 --- a/tests/nwfilterxml2firewalldata/iter3-linux.args +++ b/tests/nwfilterxml2firewalldata/iter3-linux.args @@ -6,8 +6,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ -m dscp \ --dscp 1 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -28,8 +28,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -50,8 +50,8 @@ iptables \ -m dscp \ --dscp 1 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ -m dscp \ --dscp 1 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -72,8 +72,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -94,8 +94,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -105,8 +105,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -116,8 +116,8 @@ iptables \ -m dscp \ --dscp 2 \ --dport 90 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -127,8 +127,8 @@ iptables \ -m dscp \ --dscp 2 \ --sport 90 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -139,8 +139,8 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -151,8 +151,8 @@ iptables \ --dscp 3 \ --dport 80 \ --sport 1100 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -163,6 +163,6 @@ iptables \ --dscp 3 \ --sport 80 \ --dport 1100 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nw= filterxml2firewalldata/sctp-ipv6-linux.args index 086c11ca52..55b2b10037 100644 --- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args @@ -7,8 +7,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -17,8 +17,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -29,8 +29,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -41,8 +41,8 @@ ip6tables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -55,8 +55,8 @@ ip6tables \ --dscp 33 \ --sport 20:21 \ --dport 100:1111 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -67,8 +67,8 @@ ip6tables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -79,8 +79,8 @@ ip6tables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -93,8 +93,8 @@ ip6tables \ --dscp 63 \ --sport 255:256 \ --dport 65535:65535 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -105,6 +105,6 @@ ip6tables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilte= rxml2firewalldata/sctp-linux.args index a3c5a7a72d..881f70ed72 100644 --- a/tests/nwfilterxml2firewalldata/sctp-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -41,8 +41,8 @@ iptables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -55,8 +55,8 @@ iptables \ --dscp 33 \ --sport 20:21 \ --dport 100:1111 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -67,8 +67,8 @@ iptables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -79,8 +79,8 @@ iptables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -93,8 +93,8 @@ iptables \ --dscp 63 \ --sport 255:256 \ --dport 65535:65535 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -105,6 +105,6 @@ iptables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfil= terxml2firewalldata/target-linux.args index abb01debf9..54d97307d9 100644 --- a/tests/nwfilterxml2firewalldata/target-linux.args +++ b/tests/nwfilterxml2firewalldata/target-linux.args @@ -49,8 +49,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'accept rule -- dir out' \ -j RETURN @@ -61,8 +61,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'accept rule -- dir out' \ -j ACCEPT @@ -75,8 +75,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'accept rule -- dir out' \ -j RETURN @@ -155,8 +155,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'accept rule -- dir in' \ -j RETURN @@ -169,8 +169,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -m comment \ --comment 'accept rule -- dir in' \ -j ACCEPT @@ -181,8 +181,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -m comment \ --comment 'accept rule -- dir in' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfi= lterxml2firewalldata/target2-linux.args index c774f6f24a..915f1ebb2b 100644 --- a/tests/nwfilterxml2firewalldata/target2-linux.args +++ b/tests/nwfilterxml2firewalldata/target2-linux.args @@ -21,24 +21,24 @@ iptables \ -A FJ-vnet0 \ -p tcp \ --sport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ -A FP-vnet0 \ -p tcp \ --dport 80 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ -A HJ-vnet0 \ -p tcp \ --sport 80 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/tcp-ipv6-linux.args index 50b5514a3b..9463d5a4c4 100644 --- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args @@ -7,8 +7,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -17,8 +17,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -29,8 +29,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -41,8 +41,8 @@ ip6tables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -55,8 +55,8 @@ ip6tables \ --dscp 33 \ --sport 20:21 \ --dport 100:1111 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -67,8 +67,8 @@ ip6tables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -79,8 +79,8 @@ ip6tables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -93,8 +93,8 @@ ip6tables \ --dscp 63 \ --sport 255:256 \ --dport 65535:65535 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -105,6 +105,6 @@ ip6tables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilter= xml2firewalldata/tcp-linux.args index 74ac4a6733..ae2d05a753 100644 --- a/tests/nwfilterxml2firewalldata/tcp-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/udp-ipv6-linux.args index 6feec12a04..1df20ae139 100644 --- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args @@ -7,8 +7,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -17,8 +17,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -29,8 +29,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -41,8 +41,8 @@ ip6tables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -55,8 +55,8 @@ ip6tables \ --dscp 33 \ --sport 20:21 \ --dport 100:1111 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -67,8 +67,8 @@ ip6tables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -79,8 +79,8 @@ ip6tables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -93,8 +93,8 @@ ip6tables \ --dscp 63 \ --sport 255:256 \ --dport 65535:65535 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -105,6 +105,6 @@ ip6tables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilter= xml2firewalldata/udp-linux.args index 32a8f56dfc..0a04a636ae 100644 --- a/tests/nwfilterxml2firewalldata/udp-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -41,8 +41,8 @@ iptables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -55,8 +55,8 @@ iptables \ --dscp 33 \ --sport 20:21 \ --dport 100:1111 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -67,8 +67,8 @@ iptables \ --dscp 33 \ --dport 20:21 \ --sport 100:1111 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -79,8 +79,8 @@ iptables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -93,8 +93,8 @@ iptables \ --dscp 63 \ --sport 255:256 \ --dport 65535:65535 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -105,6 +105,6 @@ iptables \ --dscp 63 \ --dport 255:256 \ --sport 65535:65535 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests= /nwfilterxml2firewalldata/udplite-ipv6-linux.args index 6be6aa0069..4c1d254ba8 100644 --- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args @@ -8,8 +8,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -19,8 +19,8 @@ ip6tables \ --source a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -32,8 +32,8 @@ ip6tables \ --destination a:b:c::d:e:f/128 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -42,8 +42,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -54,8 +54,8 @@ ip6tables \ --source a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -64,8 +64,8 @@ ip6tables \ --destination a:b:c::/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -74,8 +74,8 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN ip6tables \ -w \ @@ -86,8 +86,8 @@ ip6tables \ --source ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT ip6tables \ -w \ @@ -96,6 +96,6 @@ ip6tables \ --destination ::ffff:10.1.2.3/128 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfi= lterxml2firewalldata/udplite-linux.args index 8f3a9e8f24..7e85aaf15d 100644 --- a/tests/nwfilterxml2firewalldata/udplite-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-linux.args @@ -7,8 +7,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -17,8 +17,8 @@ iptables \ --source 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -29,8 +29,8 @@ iptables \ --destination 10.1.2.3/32 \ -m dscp \ --dscp 2 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j RETURN iptables \ -w \ @@ -39,8 +39,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -51,8 +51,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -61,8 +61,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -71,8 +71,8 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN iptables \ -w \ @@ -83,8 +83,8 @@ iptables \ --source 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state NEW,ESTABLISHED \ +-m conntrack \ +--ctstate NEW,ESTABLISHED \ -j ACCEPT iptables \ -w \ @@ -93,6 +93,6 @@ iptables \ --destination 10.1.2.3/22 \ -m dscp \ --dscp 33 \ --m state \ ---state ESTABLISHED \ +-m conntrack \ +--ctstate ESTABLISHED \ -j RETURN --=20 2.35.1 From nobody Sun May 19 03:12:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1646762019; cv=none; d=zohomail.com; s=zohoarc; b=geqh1sDZz8fBL8S0KQZTPi9Re4s3pF3rTwgb21rUyxxJIPwvDAAJgIHlHOP80d1PISgLc2InrnXC4GGxiyNAVgyrPypjfFpHVu2iqLker4v9PnC0iWituAcPqRHipK+1iaHt8/QJZUP+1Lce05tg16VoyRRysmwTKEtoYwC+WsA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1646762019; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=AUdJRuOPEs4hhDEMhFM0UwyOp2NahqZQ1sQc8l5yk2A=; b=Bds09qAqAoWdvYjiq3vUP4b3jwrcVBbCW0CdhpbLF23i3Qr1P99xq0pyC9G0JDjPlSJO787L2nZ9U8Jy+3c+O2GQNa+zY0+EwqrGul0EMSnARwLe6GqqOYzirQxb6KAI0cnC2MirxGXxpeG/D3ddlMbcWY5ApjBAbLLO21ThejM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1646762019808538.1217684073948; Tue, 8 Mar 2022 09:53:39 -0800 (PST) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-625-ikdwSWSgPCKPPeR2ZMuAlQ-1; Tue, 08 Mar 2022 12:53:34 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E6257381AA17; Tue, 8 Mar 2022 17:53:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id C93F92024CB7; Tue, 8 Mar 2022 17:53:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 3D654193212A; Tue, 8 Mar 2022 17:53:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CA6B2194F4B3 for ; Tue, 8 Mar 2022 17:53:30 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 9B1AC106F959; Tue, 8 Mar 2022 17:53:30 +0000 (UTC) Received: from domokun.gsslab.fab.redhat.com (gx270-2.gsslab.fab.redhat.com [10.33.8.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id E95F3106F957; Tue, 8 Mar 2022 17:53:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646762018; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=AUdJRuOPEs4hhDEMhFM0UwyOp2NahqZQ1sQc8l5yk2A=; b=BDee7z626JOBkFx3g4JdKLjmNGauW8WJMfq6EG4vMp6zX6TMqQFp+4tYsJYvwGwBsaEKQk qNeNkUuwUuGsdij5gHQexqab6jk4tdmjQEKu26xUIa//Ievrn0SCJYla7GCQU6E/bAJKwX ivZT6qwwh55hDgVHxmxq4wJCsv4VM6E= X-MC-Unique: ikdwSWSgPCKPPeR2ZMuAlQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 2/2] nwfilter: drop support for legacy iptables conntrack direction Date: Tue, 8 Mar 2022 17:52:42 +0000 Message-Id: <20220308175242.771524-3-berrange@redhat.com> In-Reply-To: <20220308175242.771524-1-berrange@redhat.com> References: <20220308175242.771524-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1646762022056100001 Long ago we adapted to Linux kernel changes which inverted the behaviour of the conntrack --ctdir setting: commit a6a04ea47a8143ba46150889d8dae1c861df6389 Author: Stefan Berger Date: Wed May 15 21:02:11 2013 -0400 nwfilter: check for inverted ctdir Linux netfilter at some point (Linux 2.6.39) inverted the meaning of the '--ctdir reply' and newer netfilter implementations now expect '--ctdir original' instead and vice-versa. We check for the kernel version and assume that all Linux kernels with = version 2.6.39 have the newer inverted logic. Any distro backporting the Linux kernel patch that inverts the --ctdir = logic (Linux commit 96120d86f) must also backport this patch for Linux and adapt the kernel version being tested for. Signed-off-by: Stefan Berger Given our supported platform targets, we no longer need to consider a version of Linux before 2.6.39, so can drop support for the old direction behaviour. The test suite updates are triggered because that never probed for the ctdir direction, and so the iptables syntax generator unconditionally dropped the ctdir args. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/nwfilter/nwfilter_ebiptables_driver.c | 55 +-- .../ah-ipv6-linux.args | 18 + tests/nwfilterxml2firewalldata/ah-linux.args | 18 + .../all-ipv6-linux.args | 18 + tests/nwfilterxml2firewalldata/all-linux.args | 18 + .../comment-linux.args | 30 ++ .../conntrack-linux.args | 6 + .../esp-ipv6-linux.args | 18 + tests/nwfilterxml2firewalldata/esp-linux.args | 18 + .../example-1-linux.args | 18 + .../hex-data-linux.args | 12 + .../icmp-direction3-linux.args | 6 + .../nwfilterxml2firewalldata/igmp-linux.args | 18 + .../nwfilterxml2firewalldata/ipset-linux.args | 24 ++ .../nwfilterxml2firewalldata/iter1-linux.args | 18 + .../nwfilterxml2firewalldata/iter2-linux.args | 342 ++++++++++++++++++ .../nwfilterxml2firewalldata/iter3-linux.args | 30 ++ .../sctp-ipv6-linux.args | 18 + .../nwfilterxml2firewalldata/sctp-linux.args | 18 + .../target-linux.args | 12 + .../target2-linux.args | 6 + .../tcp-ipv6-linux.args | 18 + tests/nwfilterxml2firewalldata/tcp-linux.args | 6 + .../udp-ipv6-linux.args | 18 + tests/nwfilterxml2firewalldata/udp-linux.args | 18 + .../udplite-ipv6-linux.args | 18 + .../udplite-linux.args | 18 + 27 files changed, 764 insertions(+), 53 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 9bdefb1564..177fd64049 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -64,17 +64,6 @@ VIR_LOG_INIT("nwfilter.nwfilter_ebiptables_driver"); =20 #define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */ =20 -/* - * --ctdir original vs. --ctdir reply's meaning was inverted in netfilter - * at some point (Linux 2.6.39) - */ -enum ctdirStatus { - CTDIR_STATUS_UNKNOWN =3D 0, - CTDIR_STATUS_CORRECTED =3D 1, - CTDIR_STATUS_OLD =3D 2, -}; -static enum ctdirStatus iptables_ctdir_corrected; - #define PRINT_ROOT_CHAIN(buf, prefix, ifname) \ g_snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname) #define PRINT_CHAIN(buf, prefix, ifname, suffix) \ @@ -1088,24 +1077,13 @@ iptablesEnforceDirection(virFirewall *fw, bool directionIn, virNWFilterRuleDef *rule) { - switch (iptables_ctdir_corrected) { - case CTDIR_STATUS_UNKNOWN: - /* could not be determined or s.th. is seriously wrong */ - return; - case CTDIR_STATUS_CORRECTED: - directionIn =3D !directionIn; - break; - case CTDIR_STATUS_OLD: - break; - } - if (rule->tt !=3D VIR_NWFILTER_RULE_DIRECTION_INOUT) virFirewallRuleAddArgList(fw, fwrule, "-m", "conntrack", "--ctdir", (directionIn ? - "Original" : - "Reply"), + "Reply" : + "Original"), NULL); } =20 @@ -3633,41 +3611,12 @@ virNWFilterTechDriver ebiptables_driver =3D { .removeBasicRules =3D ebtablesRemoveBasicRules, }; =20 -static void -ebiptablesDriverProbeCtdir(void) -{ - struct utsname utsname; - unsigned long thisversion; - - iptables_ctdir_corrected =3D CTDIR_STATUS_UNKNOWN; - - if (uname(&utsname) < 0) { - VIR_ERROR(_("Call to utsname failed: %d"), errno); - return; - } - - /* following Linux lxr, the logic was inverted in 2.6.39 */ - if (virStringParseVersion(&thisversion, utsname.release, true) < 0) { - VIR_ERROR(_("Could not determine kernel version from string %s"), - utsname.release); - return; - } - - if (thisversion >=3D 2 * 1000000 + 6 * 1000 + 39) - iptables_ctdir_corrected =3D CTDIR_STATUS_CORRECTED; - else - iptables_ctdir_corrected =3D CTDIR_STATUS_OLD; -} - - static int ebiptablesDriverInit(bool privileged) { if (!privileged) return 0; =20 - ebiptablesDriverProbeCtdir(); - ebiptables_driver.flags =3D TECHDRV_FLAG_INITIALIZED; =20 return 0; diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfi= lterxml2firewalldata/ah-ipv6-linux.args index d36d63741a..e71284195d 100644 --- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterx= ml2firewalldata/ah-linux.args index 886ccfb050..014f862a45 100644 --- a/tests/nwfilterxml2firewalldata/ah-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/all-ipv6-linux.args index 732627c546..37b7d8f70a 100644 --- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilter= xml2firewalldata/all-linux.args index a2bc6996d7..ac7cf71ce5 100644 --- a/tests/nwfilterxml2firewalldata/all-linux.args +++ b/tests/nwfilterxml2firewalldata/all-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfi= lterxml2firewalldata/comment-linux.args index 052b607cb2..7d1730dded 100644 --- a/tests/nwfilterxml2firewalldata/comment-linux.args +++ b/tests/nwfilterxml2firewalldata/comment-linux.args @@ -57,6 +57,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'udp rule' \ -j RETURN @@ -71,6 +73,8 @@ iptables \ --sport 564:1092 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'udp rule' \ -j ACCEPT @@ -87,6 +91,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'udp rule' \ -j RETURN @@ -101,6 +107,8 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tcp/ipv6 rule' \ -j RETURN @@ -117,6 +125,8 @@ ip6tables \ --dport 256:4369 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'tcp/ipv6 rule' \ -j ACCEPT @@ -131,6 +141,8 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tcp/ipv6 rule' \ -j RETURN @@ -140,6 +152,8 @@ ip6tables \ -p udp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN @@ -149,6 +163,8 @@ ip6tables \ -p udp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j ACCEPT @@ -158,6 +174,8 @@ ip6tables \ -p udp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN @@ -167,6 +185,8 @@ ip6tables \ -p sctp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN @@ -176,6 +196,8 @@ ip6tables \ -p sctp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j ACCEPT @@ -185,6 +207,8 @@ ip6tables \ -p sctp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN @@ -194,6 +218,8 @@ ip6tables \ -p ah \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f $= {tmp}' \ -j RETURN @@ -203,6 +229,8 @@ ip6tables \ -p ah \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'tmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f $= {tmp}' \ -j ACCEPT @@ -212,6 +240,8 @@ ip6tables \ -p ah \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'tmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f $= {tmp}' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nw= filterxml2firewalldata/conntrack-linux.args index 4e7652e293..af88246cc7 100644 --- a/tests/nwfilterxml2firewalldata/conntrack-linux.args +++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args @@ -32,6 +32,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -39,6 +41,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -46,4 +50,6 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/esp-ipv6-linux.args index be58a3f04b..363dc7684c 100644 --- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilter= xml2firewalldata/esp-linux.args index f8626282e4..0d2580603a 100644 --- a/tests/nwfilterxml2firewalldata/esp-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nw= filterxml2firewalldata/example-1-linux.args index 32ffb8edfa..bc46b4be78 100644 --- a/tests/nwfilterxml2firewalldata/example-1-linux.args +++ b/tests/nwfilterxml2firewalldata/example-1-linux.args @@ -5,6 +5,8 @@ iptables \ --sport 22 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -13,6 +15,8 @@ iptables \ --dport 22 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -21,6 +25,8 @@ iptables \ --sport 22 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -28,6 +34,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -35,6 +43,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -42,6 +52,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -49,6 +61,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -56,6 +70,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +79,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwf= ilterxml2firewalldata/hex-data-linux.args index 8b09922a65..b677f4d676 100644 --- a/tests/nwfilterxml2firewalldata/hex-data-linux.args +++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args @@ -57,6 +57,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -69,6 +71,8 @@ iptables \ --sport 564:1092 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -83,6 +87,8 @@ iptables \ --dport 564:1092 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -95,6 +101,8 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -109,6 +117,8 @@ ip6tables \ --dport 256:4369 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -121,4 +131,6 @@ ip6tables \ --sport 256:4369 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/te= sts/nwfilterxml2firewalldata/icmp-direction3-linux.args index 1fc7993908..1731d5e27f 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args @@ -4,6 +4,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -11,6 +13,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -18,6 +22,8 @@ iptables \ -p icmp \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilte= rxml2firewalldata/igmp-linux.args index c0add2539b..b85bfaffe8 100644 --- a/tests/nwfilterxml2firewalldata/igmp-linux.args +++ b/tests/nwfilterxml2firewalldata/igmp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilt= erxml2firewalldata/ipset-linux.args index 6848f64541..7f6d9bd913 100644 --- a/tests/nwfilterxml2firewalldata/ipset-linux.args +++ b/tests/nwfilterxml2firewalldata/ipset-linux.args @@ -4,6 +4,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst \ -j RETURN @@ -13,6 +15,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src \ -j ACCEPT @@ -22,6 +26,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst \ -j RETURN @@ -58,6 +64,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -67,6 +75,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst,src \ -j ACCEPT @@ -76,6 +86,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -85,6 +97,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -94,6 +108,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst,src \ -j ACCEPT @@ -103,6 +119,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src,dst \ -j RETURN @@ -112,6 +130,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src \ -j RETURN @@ -121,6 +141,8 @@ iptables \ -p all \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m set \ --match-set tck_test src,dst \ -j ACCEPT @@ -130,6 +152,8 @@ iptables \ -p all \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m set \ --match-set tck_test dst,src \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilt= erxml2firewalldata/iter1-linux.args index e50c768f67..23ac375d9c 100644 --- a/tests/nwfilterxml2firewalldata/iter1-linux.args +++ b/tests/nwfilterxml2firewalldata/iter1-linux.args @@ -8,6 +8,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -30,6 +34,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -52,6 +60,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -74,6 +86,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -96,4 +112,6 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilt= erxml2firewalldata/iter2-linux.args index 7f2b0e4565..8a98495865 100644 --- a/tests/nwfilterxml2firewalldata/iter2-linux.args +++ b/tests/nwfilterxml2firewalldata/iter2-linux.args @@ -8,6 +8,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -30,6 +34,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -52,6 +60,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -74,6 +86,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -96,6 +112,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -107,6 +125,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -118,6 +138,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -129,6 +151,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -140,6 +164,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -151,6 +177,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -162,6 +190,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -173,6 +203,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -184,6 +216,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -195,6 +229,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -206,6 +242,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -217,6 +255,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -228,6 +268,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -239,6 +281,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -250,6 +294,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -261,6 +307,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -272,6 +320,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -283,6 +333,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -294,6 +346,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -306,6 +360,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -318,6 +374,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -330,6 +388,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -342,6 +402,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -354,6 +416,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -366,6 +430,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -378,6 +444,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -390,6 +458,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -402,6 +472,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -414,6 +486,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -426,6 +500,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -438,6 +514,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -450,6 +528,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -462,6 +542,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -474,6 +556,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -486,6 +570,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -498,6 +584,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -510,6 +598,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -522,6 +612,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -534,6 +626,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -546,6 +640,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -558,6 +654,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -570,6 +668,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -582,6 +682,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -594,6 +696,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -606,6 +710,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -618,6 +724,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -630,6 +738,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -642,6 +752,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -654,6 +766,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -666,6 +780,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -678,6 +794,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -690,6 +808,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -702,6 +822,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -714,6 +836,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -726,6 +850,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -738,6 +864,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -750,6 +878,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -762,6 +892,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -774,6 +906,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -786,6 +920,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -798,6 +934,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -810,6 +948,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -822,6 +962,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -834,6 +976,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -846,6 +990,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -858,6 +1004,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -870,6 +1018,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -882,6 +1032,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -894,6 +1046,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -906,6 +1060,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -918,6 +1074,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -930,6 +1088,8 @@ iptables \ --sport 1080 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -942,6 +1102,8 @@ iptables \ --dport 1080 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -954,6 +1116,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -966,6 +1130,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -978,6 +1144,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -990,6 +1158,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1002,6 +1172,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1014,6 +1186,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1026,6 +1200,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1038,6 +1214,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1050,6 +1228,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1062,6 +1242,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1074,6 +1256,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1086,6 +1270,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1098,6 +1284,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1110,6 +1298,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1122,6 +1312,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1134,6 +1326,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1146,6 +1340,8 @@ iptables \ --sport 1090 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1158,6 +1354,8 @@ iptables \ --dport 1090 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1170,6 +1368,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1182,6 +1382,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1194,6 +1396,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1206,6 +1410,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1218,6 +1424,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1230,6 +1438,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1242,6 +1452,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1254,6 +1466,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1266,6 +1480,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1278,6 +1494,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1290,6 +1508,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1302,6 +1522,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1314,6 +1536,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1326,6 +1550,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1338,6 +1564,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1350,6 +1578,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1362,6 +1592,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1374,6 +1606,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1386,6 +1620,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1398,6 +1634,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1410,6 +1648,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1422,6 +1662,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1434,6 +1676,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1446,6 +1690,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1458,6 +1704,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1470,6 +1718,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1482,6 +1732,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1494,6 +1746,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1506,6 +1760,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1518,6 +1774,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1530,6 +1788,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1542,6 +1802,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1554,6 +1816,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1566,6 +1830,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1578,6 +1844,8 @@ iptables \ --sport 1110 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1590,6 +1858,8 @@ iptables \ --dport 1110 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1601,6 +1871,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1612,6 +1884,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1623,6 +1897,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1634,6 +1910,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1645,6 +1923,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1656,6 +1936,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1667,6 +1949,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1678,6 +1962,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1689,6 +1975,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1700,6 +1988,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1711,6 +2001,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1722,6 +2014,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1733,6 +2027,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1744,6 +2040,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1755,6 +2053,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1766,6 +2066,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1777,6 +2079,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1788,6 +2092,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1799,6 +2105,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1810,6 +2118,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1821,6 +2131,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1832,6 +2144,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1843,6 +2157,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1854,6 +2170,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1865,6 +2183,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1876,6 +2196,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1887,6 +2209,8 @@ iptables \ --dscp 5 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1898,6 +2222,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1909,6 +2235,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1920,6 +2248,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1931,6 +2261,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1942,6 +2274,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1953,6 +2287,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1964,6 +2300,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -1975,6 +2313,8 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -1986,4 +2326,6 @@ iptables \ --dscp 6 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilt= erxml2firewalldata/iter3-linux.args index 1bc769bcd4..fa99e2d8d9 100644 --- a/tests/nwfilterxml2firewalldata/iter3-linux.args +++ b/tests/nwfilterxml2firewalldata/iter3-linux.args @@ -8,6 +8,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -30,6 +34,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -52,6 +60,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -74,6 +86,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -96,6 +112,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -107,6 +125,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -118,6 +138,8 @@ iptables \ --dport 90 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -129,6 +151,8 @@ iptables \ --sport 90 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -141,6 +165,8 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -153,6 +179,8 @@ iptables \ --sport 1100 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -165,4 +193,6 @@ iptables \ --dport 1100 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nw= filterxml2firewalldata/sctp-ipv6-linux.args index 55b2b10037..7d698e127a 100644 --- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args @@ -9,6 +9,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -19,6 +21,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -31,6 +35,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -43,6 +49,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -57,6 +65,8 @@ ip6tables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -69,6 +79,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -81,6 +93,8 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -95,6 +109,8 @@ ip6tables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -107,4 +123,6 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilte= rxml2firewalldata/sctp-linux.args index 881f70ed72..2164cd947d 100644 --- a/tests/nwfilterxml2firewalldata/sctp-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -43,6 +49,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -57,6 +65,8 @@ iptables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -69,6 +79,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -81,6 +93,8 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -95,6 +109,8 @@ iptables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -107,4 +123,6 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfil= terxml2firewalldata/target-linux.args index 54d97307d9..59d8653731 100644 --- a/tests/nwfilterxml2firewalldata/target-linux.args +++ b/tests/nwfilterxml2firewalldata/target-linux.args @@ -51,6 +51,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'accept rule -- dir out' \ -j RETURN @@ -63,6 +65,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'accept rule -- dir out' \ -j ACCEPT @@ -77,6 +81,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'accept rule -- dir out' \ -j RETURN @@ -157,6 +163,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'accept rule -- dir in' \ -j RETURN @@ -171,6 +179,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -m comment \ --comment 'accept rule -- dir in' \ -j ACCEPT @@ -183,6 +193,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -m comment \ --comment 'accept rule -- dir in' \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfi= lterxml2firewalldata/target2-linux.args index 915f1ebb2b..15bca603cf 100644 --- a/tests/nwfilterxml2firewalldata/target2-linux.args +++ b/tests/nwfilterxml2firewalldata/target2-linux.args @@ -23,6 +23,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -31,6 +33,8 @@ iptables \ --dport 80 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -39,6 +43,8 @@ iptables \ --sport 80 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/tcp-ipv6-linux.args index 9463d5a4c4..767bd12bb1 100644 --- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args @@ -9,6 +9,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -19,6 +21,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -31,6 +35,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -43,6 +49,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -57,6 +65,8 @@ ip6tables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -69,6 +79,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -81,6 +93,8 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -95,6 +109,8 @@ ip6tables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -107,4 +123,6 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilter= xml2firewalldata/tcp-linux.args index ae2d05a753..d3a18295ac 100644 --- a/tests/nwfilterxml2firewalldata/tcp-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/udp-ipv6-linux.args index 1df20ae139..c5f60e474f 100644 --- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args @@ -9,6 +9,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -19,6 +21,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -31,6 +35,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -43,6 +49,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -57,6 +65,8 @@ ip6tables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -69,6 +79,8 @@ ip6tables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -81,6 +93,8 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -95,6 +109,8 @@ ip6tables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -107,4 +123,6 @@ ip6tables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilter= xml2firewalldata/udp-linux.args index 0a04a636ae..7abeec7c7b 100644 --- a/tests/nwfilterxml2firewalldata/udp-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -43,6 +49,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -57,6 +65,8 @@ iptables \ --dport 100:1111 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -69,6 +79,8 @@ iptables \ --sport 100:1111 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -81,6 +93,8 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -95,6 +109,8 @@ iptables \ --dport 65535:65535 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -107,4 +123,6 @@ iptables \ --sport 65535:65535 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests= /nwfilterxml2firewalldata/udplite-ipv6-linux.args index 4c1d254ba8..a293623140 100644 --- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args @@ -10,6 +10,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -21,6 +23,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT ip6tables \ -w \ @@ -34,6 +38,8 @@ ip6tables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN ip6tables \ -w \ @@ -44,6 +50,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -56,6 +64,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -66,6 +76,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -76,6 +88,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN ip6tables \ -w \ @@ -88,6 +102,8 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT ip6tables \ -w \ @@ -98,4 +114,6 @@ ip6tables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfi= lterxml2firewalldata/udplite-linux.args index 7e85aaf15d..037c6d6455 100644 --- a/tests/nwfilterxml2firewalldata/udplite-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-linux.args @@ -9,6 +9,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -19,6 +21,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j ACCEPT iptables \ -w \ @@ -31,6 +35,8 @@ iptables \ --dscp 2 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j RETURN iptables \ -w \ @@ -41,6 +47,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -53,6 +61,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -63,6 +73,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -73,6 +85,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN iptables \ -w \ @@ -85,6 +99,8 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate NEW,ESTABLISHED \ +-m conntrack \ +--ctdir Original \ -j ACCEPT iptables \ -w \ @@ -95,4 +111,6 @@ iptables \ --dscp 33 \ -m conntrack \ --ctstate ESTABLISHED \ +-m conntrack \ +--ctdir Reply \ -j RETURN --=20 2.35.1