[PATCH] [RESEND] [TCK] nwfilter: Adapt to changes how filters are instantiated

Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> · Thu, 21 Oct 2010 12:17:40 -0400

I am resending the patch with 'evolution' and hope no patch-mangling
occurs. At least it looks ok before sending (also sending patch as an
attachment)

Recent changes to how filters are being instantiated require follow-up
changes to the test suite. The following changes are related to

- usage of 'ctdir'
- changes to the host's incoming filter chain

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>

---
 scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall         |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall              |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall         |   10 +++++-----
 scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall       |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall            |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall        |    4 ++--
 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall  |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall            |    4 ++--
 scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall          |    4 ++--
 scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall            |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall       |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall            |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall    |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall         |    6 +++---
 24 files changed, 63 insertions(+), 63 deletions(-)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
===================================================================

--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah       a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     ah       a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     ah       ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     ah       a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     ah       a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     ah       ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     ah       ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah   --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     ah   --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     all      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     all      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     all      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     all      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     all      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     all      ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     all  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -11,15 +11,15 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED 
-RETURN     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED 
-RETURN     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED 
-RETURN     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED 
-ACCEPT     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state NEW,ESTABLISHED 
-ACCEPT     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state NEW,ESTABLISHED 
-ACCEPT     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED 
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 
-ACCEPT     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ 
-ACCEPT     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ 
-ACCEPT     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
+RETURN     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
@@ -1,22 +1,22 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED 
-RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
-RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED ctdir ORIGINAL
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
+RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED ctdir ORIGINAL
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
@@ -11,7 +11,7 @@ DROP       icmp --  0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW,ESTABLISHED 
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
@@ -11,7 +11,7 @@ DROP       icmp --  0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 state NEW,ESTABLISHED 
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
@@ -1,17 +1,17 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
@@ -2,17 +2,17 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED 
-ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 
-ACCEPT     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -2,17 +2,17 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     icmpv6    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED 
-ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 
-ACCEPT     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
+RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     2    --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     2    --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp     a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
-ACCEPT     sctp     a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     sctp     ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     sctp     a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     sctp     a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     sctp     ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 
-ACCEPT     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 
+RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 
-ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
 RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
 RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
 ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 
 ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
-ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     tcp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     tcp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     tcp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 
-ACCEPT     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 
+RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
-ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 
-ACCEPT     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 
+RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
@@ -3,17 +3,17 @@ Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 1 
 DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 2 
-RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 1 
 DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 2 
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     esp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     esp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     esp      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     esp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     esp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     esp      ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     esp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite    a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     udplite    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     udplite    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     udplite    a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udplite    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udplite    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udplite    ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite--  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     udplite--  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -11,15 +11,15 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 state ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED 
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 
+RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
---
 scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall         |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall              |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall         |   10 +++++-----
 scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall       |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall            |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall        |    4 ++--
 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall  |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall |    2 +-
 scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall            |    4 ++--
 scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall          |    4 ++--
 scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall            |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall       |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall            |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall        |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall             |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall    |    6 +++---
 scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall         |    6 +++---
 24 files changed, 63 insertions(+), 63 deletions(-)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah       a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     ah       a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     ah       ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     ah       a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     ah       a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     ah       ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     ah       ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     ah       f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah       ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah   --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     ah   --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     ah   --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     ah   --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     ah   --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     all      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     all      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     all      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     all      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     all      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     all      ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     all      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     all  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -11,15 +11,15 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED 
-RETURN     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED 
-RETURN     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED 
-RETURN     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED 
-ACCEPT     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state NEW,ESTABLISHED 
-ACCEPT     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state NEW,ESTABLISHED 
-ACCEPT     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED 
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 
-ACCEPT     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ 
-ACCEPT     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ 
-ACCEPT     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ 
+RETURN     tcp      ::/0                 a:b:c::/128         /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::/0                /* `ls`;${COLUMNS};$(ls);"test";&'3   spaces' */ state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::/0                /* comment with lone ', `, ", `, \\, $x, and two  spaces */ state ESTABLISHED ctdir ORIGINAL
+RETURN     ah       ::/0                 ::/0                /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall
@@ -1,22 +1,22 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED 
-RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
-RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED ctdir ORIGINAL
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
+RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED ctdir ORIGINAL
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall
@@ -11,7 +11,7 @@ DROP       icmp --  0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW,ESTABLISHED 
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall
@@ -11,7 +11,7 @@ DROP       icmp --  0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 state NEW,ESTABLISHED 
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall
@@ -1,17 +1,17 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
+RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall
@@ -2,17 +2,17 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED 
-ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     icmp --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 
-ACCEPT     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     icmp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED 
+RETURN     icmp --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -2,17 +2,17 @@
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
-RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
 ACCEPT     icmpv6    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED 
-ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     icmpv6    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 
-ACCEPT     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     icmpv6    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED 
+RETURN     icmpv6    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     2    --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     2    --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     2    --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     2    --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     2    --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp     a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
-ACCEPT     sctp     a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     sctp     ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     sctp     a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     sctp     a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     sctp     ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 
-ACCEPT     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 
+RETURN     sctp     ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp     ::/0                 a:b:c::/128         DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp     ::/0                 ::10.1.2.3/128      DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     sctp --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 
-ACCEPT     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     sctp --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
 RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
 RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
+ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
 ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 
 ACCEPT     tcp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
-ACCEPT     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21tcp spts:100:1111 dpts:20:21 
+RETURN     tcp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3ftcp spt:65535 dpts:255:256 
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     tcp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     tcp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     tcp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 
-ACCEPT     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 
+RETURN     tcp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     tcp      ::/0                 a:b:c::/128         DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     tcp      ::/0                 ::10.1.2.3/128      DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED 
-ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     udp      a:b:c::d:e:f/128     ::/0                DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udp      ::/0                 ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 
-ACCEPT     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 
+RETURN     udp      ::/0                 a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp      ::/0                 ::/0                DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp      ::/0                 ::10.1.2.3/128      DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED 
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED 
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall
@@ -3,17 +3,17 @@ Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 1 
 DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 2 
-RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED 
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED ctdir ORIGINAL
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
 DROP       icmp --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 1 
 DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           #conn/32 > 2 
-ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED ctdir REPLY
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     esp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     esp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     esp      a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     esp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     esp      ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     esp      ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     esp      f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp      ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp      ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     esp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     esp  --  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     esp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     esp  --  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall
@@ -1,21 +1,21 @@
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED 
-RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED 
+RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite    a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED 
-ACCEPT     udplite    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     udplite    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     udplite    a:b:c::d:e:f/128     f:e:d::c:b:a/127    DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udplite    a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udplite    ::10.1.2.3/128       ::/0                MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udplite    ::/0                 a:b:c::/128         DSCP match 0x21
-ACCEPT     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21
+RETURN     udplite    f:e:d::c:b:a/127     a:b:c::d:e:f/128    MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite    ::/0                 a:b:c::/128         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite    ::/0                 ::10.1.2.3/128      DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L INPUT -n --line-numbers | grep libvirt
 1    libvirt-host-in  all      ::/0                 ::/0                
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall
@@ -1,21 +1,21 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED 
-RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
-RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED 
+RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite--  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED 
-ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
-ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED 
+ACCEPT     udplite--  10.1.2.3             0.0.0.0/0           DSCP match 0x02state ESTABLISHED ctdir ORIGINAL
+ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
+ACCEPT     udplite--  10.1.0.0/22          0.0.0.0/0           MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02
-ACCEPT     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
-ACCEPT     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21
+RETURN     udplite--  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
+RETURN     udplite--  0.0.0.0/0            10.1.0.0/22         DSCP match 0x21state ESTABLISHED ctdir ORIGINAL
 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep vnet0 | tr -s " "
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -11,15 +11,15 @@
 #iptables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED 
+ACCEPT     udp  --  10.1.2.3             0.0.0.0/0           DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL
 #iptables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 
+RETURN     udp  --  0.0.0.0/0            10.1.2.3            MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY
 #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " "
 HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " "
@@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got
 #ip6tables -L FI-vnet0 -n
 Chain FI-vnet0 (1 references)
 target     prot opt source               destination         
-RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 state ESTABLISHED 
+RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L FO-vnet0 -n
 Chain FO-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED 
+ACCEPT     tcp      a:b:c::/128          ::/0                MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY
 #ip6tables -L HI-vnet0 -n
 Chain HI-vnet0 (1 references)
 target     prot opt source               destination         
-ACCEPT     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 
+RETURN     tcp      ::/0                 a:b:c::/128         tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL
 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " "
 HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 
 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



