Long ago we adapted to iptables changes by introducing support
for '-m conntrack':
commit 06844ccbaa8544d7d08d568aff37bc4e3648f304
Author: Stefan Berger <stefanb(a)us.ibm.com>
Date: Tue Aug 6 20:30:46 2013 -0400
nwfilter: Use -m conntrack rather than -m state
Since iptables version 1.4.16 '-m state --state NEW' is converted to
'-m conntrack --ctstate NEW'. Therefore, when encountering this or later
versions of iptables use '-m conntrack --ctstate'.
Given our supported platform targets, we no longer need to
consider a version of iptables before 1.4.16, so can drop
support for the old syntax.
The test suite updates are triggered because that never
probed for the new syntax, and so unconditionally
generated the old syntax.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 73 +-
.../ah-ipv6-linux.args | 36 +-
tests/nwfilterxml2firewalldata/ah-linux.args | 36 +-
.../all-ipv6-linux.args | 36 +-
tests/nwfilterxml2firewalldata/all-linux.args | 36 +-
.../comment-linux.args | 60 +-
.../conntrack-linux.args | 12 +-
.../esp-ipv6-linux.args | 36 +-
tests/nwfilterxml2firewalldata/esp-linux.args | 36 +-
.../example-1-linux.args | 36 +-
.../example-2-linux.args | 28 +-
.../hex-data-linux.args | 24 +-
.../icmp-direction-linux.args | 12 +-
.../icmp-direction2-linux.args | 12 +-
.../icmp-direction3-linux.args | 12 +-
.../nwfilterxml2firewalldata/icmp-linux.args | 12 +-
.../icmpv6-linux.args | 16 +-
.../nwfilterxml2firewalldata/igmp-linux.args | 36 +-
.../nwfilterxml2firewalldata/ipset-linux.args | 48 +-
.../nwfilterxml2firewalldata/iter1-linux.args | 36 +-
.../nwfilterxml2firewalldata/iter2-linux.args | 684 +++++++++---------
.../nwfilterxml2firewalldata/iter3-linux.args | 60 +-
.../sctp-ipv6-linux.args | 36 +-
.../nwfilterxml2firewalldata/sctp-linux.args | 36 +-
.../target-linux.args | 24 +-
.../target2-linux.args | 12 +-
.../tcp-ipv6-linux.args | 36 +-
tests/nwfilterxml2firewalldata/tcp-linux.args | 12 +-
.../udp-ipv6-linux.args | 36 +-
tests/nwfilterxml2firewalldata/udp-linux.args | 36 +-
.../udplite-ipv6-linux.args | 36 +-
.../udplite-linux.args | 36 +-
32 files changed, 806 insertions(+), 871 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 54065a0f75..9bdefb1564 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -88,8 +88,6 @@ static enum ctdirStatus iptables_ctdir_corrected;
#define PRINT_IPT_ROOT_CHAIN(buf, prefix, ifname) \
g_snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
-static bool newMatchState;
-
#define MATCH_PHYSDEV_IN_FW "-m", "physdev",
"--physdev-in"
#define MATCH_PHYSDEV_OUT_FW "-m", "physdev",
"--physdev-is-bridged", "--physdev-out"
#define MATCH_PHYSDEV_OUT_OLD_FW "-m", "physdev",
"--physdev-out"
@@ -1489,16 +1487,10 @@ _iptablesCreateRuleInstance(virFirewall *fw,
}
if (match && !skipMatch) {
- if (newMatchState)
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "conntrack",
- "--ctstate", match,
- NULL);
- else
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "state",
- "--state", match,
- NULL);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctstate", match,
+ NULL);
}
if (defMatch && match != NULL && !skipMatch && !hasICMPType)
@@ -3668,61 +3660,6 @@ ebiptablesDriverProbeCtdir(void)
}
-static int
-ebiptablesDriverProbeStateMatchQuery(virFirewall *fw G_GNUC_UNUSED,
- virFirewallLayer layer G_GNUC_UNUSED,
- const char *const *lines,
- void *opaque)
-{
- unsigned long *version = opaque;
- char *tmp;
-
- if (!lines || !lines[0]) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("No output from iptables --version"));
- return -1;
- }
-
- /*
- * we expect output in the format
- * 'iptables v1.4.16'
- */
- if (!(tmp = strchr(lines[0], 'v')) ||
- virStringParseVersion(version, tmp + 1, true) < 0) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("Cannot parse version string '%s'"),
- lines[0]);
- return -1;
- }
-
- return 0;
-}
-
-
-static int
-ebiptablesDriverProbeStateMatch(void)
-{
- unsigned long version;
- g_autoptr(virFirewall) fw = virFirewallNew();
-
- virFirewallStartTransaction(fw, 0);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- false, ebiptablesDriverProbeStateMatchQuery, &version,
- "--version", NULL);
-
- if (virFirewallApply(fw) < 0)
- return -1;
-
- /*
- * since version 1.4.16 '-m state --state ...' will be converted to
- * '-m conntrack --ctstate ...'
- */
- if (version >= 1 * 1000000 + 4 * 1000 + 16)
- newMatchState = true;
-
- return 0;
-}
-
static int
ebiptablesDriverInit(bool privileged)
{
@@ -3730,8 +3667,6 @@ ebiptablesDriverInit(bool privileged)
return 0;
ebiptablesDriverProbeCtdir();
- if (ebiptablesDriverProbeStateMatch() < 0)
- return -1;
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
index f0bf85e8a1..d36d63741a 100644
--- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
@@ -8,8 +8,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -19,8 +19,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -32,8 +32,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -42,8 +42,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -54,8 +54,8 @@ ip6tables \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -64,8 +64,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -74,8 +74,8 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -86,8 +86,8 @@ ip6tables \
--source ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -96,6 +96,6 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args
b/tests/nwfilterxml2firewalldata/ah-linux.args
index c7e5c1eb17..886ccfb050 100644
--- a/tests/nwfilterxml2firewalldata/ah-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -51,8 +51,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -71,8 +71,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -93,6 +93,6 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
index 5eb6033c64..732627c546 100644
--- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
@@ -8,8 +8,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -19,8 +19,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -32,8 +32,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -42,8 +42,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -54,8 +54,8 @@ ip6tables \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -64,8 +64,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -74,8 +74,8 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -86,8 +86,8 @@ ip6tables \
--source ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -96,6 +96,6 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all-linux.args
b/tests/nwfilterxml2firewalldata/all-linux.args
index 187d9ed9ca..a2bc6996d7 100644
--- a/tests/nwfilterxml2firewalldata/all-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -51,8 +51,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -71,8 +71,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -93,6 +93,6 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args
b/tests/nwfilterxml2firewalldata/comment-linux.args
index 2b940ccd84..052b607cb2 100644
--- a/tests/nwfilterxml2firewalldata/comment-linux.args
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
@@ -55,8 +55,8 @@ iptables \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'udp rule' \
-j RETURN
@@ -69,8 +69,8 @@ iptables \
--dscp 34 \
--dport 291:400 \
--sport 564:1092 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'udp rule' \
-j ACCEPT
@@ -85,8 +85,8 @@ iptables \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'udp rule' \
-j RETURN
@@ -99,8 +99,8 @@ ip6tables \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'tcp/ipv6 rule' \
-j RETURN
@@ -115,8 +115,8 @@ ip6tables \
--dscp 57 \
--sport 32:33 \
--dport 256:4369 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'tcp/ipv6 rule' \
-j ACCEPT
@@ -129,8 +129,8 @@ ip6tables \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'tcp/ipv6 rule' \
-j RETURN
@@ -138,8 +138,8 @@ ip6tables \
-w \
-A FJ-vnet0 \
-p udp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3
spaces'\''' \
-j RETURN
@@ -147,8 +147,8 @@ ip6tables \
-w \
-A FP-vnet0 \
-p udp \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3
spaces'\''' \
-j ACCEPT
@@ -156,8 +156,8 @@ ip6tables \
-w \
-A HJ-vnet0 \
-p udp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3
spaces'\''' \
-j RETURN
@@ -165,8 +165,8 @@ ip6tables \
-w \
-A FJ-vnet0 \
-p sctp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two
spaces' \
-j RETURN
@@ -174,8 +174,8 @@ ip6tables \
-w \
-A FP-vnet0 \
-p sctp \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two
spaces' \
-j ACCEPT
@@ -183,8 +183,8 @@ ip6tables \
-w \
-A HJ-vnet0 \
-p sctp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two
spaces' \
-j RETURN
@@ -192,8 +192,8 @@ ip6tables \
-w \
-A FJ-vnet0 \
-p ah \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f
${tmp}' \
-j RETURN
@@ -201,8 +201,8 @@ ip6tables \
-w \
-A FP-vnet0 \
-p ah \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f
${tmp}' \
-j ACCEPT
@@ -210,8 +210,8 @@ ip6tables \
-w \
-A HJ-vnet0 \
-p ah \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f
${tmp}' \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args
b/tests/nwfilterxml2firewalldata/conntrack-linux.args
index 78495598a1..4e7652e293 100644
--- a/tests/nwfilterxml2firewalldata/conntrack-linux.args
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
@@ -30,20 +30,20 @@ iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
index 426bdd3083..be58a3f04b 100644
--- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
@@ -8,8 +8,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -19,8 +19,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -32,8 +32,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -42,8 +42,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -54,8 +54,8 @@ ip6tables \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -64,8 +64,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -74,8 +74,8 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -86,8 +86,8 @@ ip6tables \
--source ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -96,6 +96,6 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args
b/tests/nwfilterxml2firewalldata/esp-linux.args
index 7cd70afaa1..f8626282e4 100644
--- a/tests/nwfilterxml2firewalldata/esp-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -51,8 +51,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -71,8 +71,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -93,6 +93,6 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args
b/tests/nwfilterxml2firewalldata/example-1-linux.args
index 1cc3746d40..32ffb8edfa 100644
--- a/tests/nwfilterxml2firewalldata/example-1-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
@@ -3,66 +3,66 @@ iptables \
-A FJ-vnet0 \
-p tcp \
--sport 22 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p tcp \
--dport 22 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p tcp \
--sport 22 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
-A FJ-vnet0 \
-p icmp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p icmp \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p icmp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args
b/tests/nwfilterxml2firewalldata/example-2-linux.args
index 87462ad954..e7247aeb23 100644
--- a/tests/nwfilterxml2firewalldata/example-2-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.args
@@ -2,8 +2,8 @@ iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED,RELATED \
+-m conntrack \
+--ctstate ESTABLISHED,RELATED \
-m comment \
--comment 'out: existing and related (ftp) connections' \
-j RETURN
@@ -11,8 +11,8 @@ iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED,RELATED \
+-m conntrack \
+--ctstate ESTABLISHED,RELATED \
-m comment \
--comment 'out: existing and related (ftp) connections' \
-j RETURN
@@ -20,8 +20,8 @@ iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'in: existing connections' \
-j ACCEPT
@@ -30,8 +30,8 @@ iptables \
-A FP-vnet0 \
-p tcp \
--dport 21:22 \
--m state \
---state NEW \
+-m conntrack \
+--ctstate NEW \
-m comment \
--comment 'in: ftp and ssh' \
-j ACCEPT
@@ -39,8 +39,8 @@ iptables \
-w \
-A FP-vnet0 \
-p icmp \
--m state \
---state NEW \
+-m conntrack \
+--ctstate NEW \
-m comment \
--comment 'in: icmp' \
-j ACCEPT
@@ -49,8 +49,8 @@ iptables \
-A FJ-vnet0 \
-p udp \
--dport 53 \
--m state \
---state NEW \
+-m conntrack \
+--ctstate NEW \
-m comment \
--comment 'out: DNS lookups' \
-j RETURN
@@ -59,8 +59,8 @@ iptables \
-A HJ-vnet0 \
-p udp \
--dport 53 \
--m state \
---state NEW \
+-m conntrack \
+--ctstate NEW \
-m comment \
--comment 'out: DNS lookups' \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args
b/tests/nwfilterxml2firewalldata/hex-data-linux.args
index ff8f528c48..8b09922a65 100644
--- a/tests/nwfilterxml2firewalldata/hex-data-linux.args
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
@@ -55,8 +55,8 @@ iptables \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -67,8 +67,8 @@ iptables \
--dscp 34 \
--dport 291:400 \
--sport 564:1092 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -81,8 +81,8 @@ iptables \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -93,8 +93,8 @@ ip6tables \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -107,8 +107,8 @@ ip6tables \
--dscp 57 \
--sport 32:33 \
--dport 256:4369 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -119,6 +119,6 @@ ip6tables \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
index 7548aaeba5..a7ad6ac9d8 100644
--- a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
@@ -3,24 +3,24 @@ iptables \
-A FP-vnet0 \
-p icmp \
--icmp-type 0 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A FJ-vnet0 \
-p icmp \
--icmp-type 8 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
-A HJ-vnet0 \
-p icmp \
--icmp-type 8 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
index 026702caee..a1873e7448 100644
--- a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
@@ -3,24 +3,24 @@ iptables \
-A FP-vnet0 \
-p icmp \
--icmp-type 8 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A FJ-vnet0 \
-p icmp \
--icmp-type 0 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
-A HJ-vnet0 \
-p icmp \
--icmp-type 0 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
index 6ee6a4f84a..1fc7993908 100644
--- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
@@ -2,22 +2,22 @@ iptables \
-w \
-A FJ-vnet0 \
-p icmp \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p icmp \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p icmp \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args
b/tests/nwfilterxml2firewalldata/icmp-linux.args
index d688e29213..02f9bf0c06 100644
--- a/tests/nwfilterxml2firewalldata/icmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.args
@@ -8,8 +8,8 @@ iptables \
-m dscp \
--dscp 2 \
--icmp-type 12/11 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -21,8 +21,8 @@ iptables \
-m dscp \
--dscp 2 \
--icmp-type 12/11 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -34,6 +34,6 @@ iptables \
-m dscp \
--dscp 33 \
--icmp-type 255/255 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args
b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
index 5a8546e5c8..b7f184f9b3 100644
--- a/tests/nwfilterxml2firewalldata/icmpv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
@@ -9,8 +9,8 @@ ip6tables \
-m dscp \
--dscp 2 \
--icmpv6-type 12/11 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -23,8 +23,8 @@ ip6tables \
-m dscp \
--dscp 2 \
--icmpv6-type 12/11 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -36,8 +36,8 @@ ip6tables \
-m dscp \
--dscp 33 \
--icmpv6-type 255/255 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -49,6 +49,6 @@ ip6tables \
-m dscp \
--dscp 33 \
--icmpv6-type 255/255 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args
b/tests/nwfilterxml2firewalldata/igmp-linux.args
index b954b0ae99..c0add2539b 100644
--- a/tests/nwfilterxml2firewalldata/igmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -51,8 +51,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -71,8 +71,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -93,6 +93,6 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args
b/tests/nwfilterxml2firewalldata/ipset-linux.args
index 5cdb151354..6848f64541 100644
--- a/tests/nwfilterxml2firewalldata/ipset-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@@ -2,8 +2,8 @@ iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst \
-j RETURN
@@ -11,8 +11,8 @@ iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src \
-j ACCEPT
@@ -20,8 +20,8 @@ iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst \
-j RETURN
@@ -56,8 +56,8 @@ iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -65,8 +65,8 @@ iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst,src \
-j ACCEPT
@@ -74,8 +74,8 @@ iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -83,8 +83,8 @@ iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -92,8 +92,8 @@ iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst,src \
-j ACCEPT
@@ -101,8 +101,8 @@ iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
@@ -110,8 +110,8 @@ iptables \
-w \
-A FJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src \
-j RETURN
@@ -119,8 +119,8 @@ iptables \
-w \
-A FP-vnet0 \
-p all \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst \
-j ACCEPT
@@ -128,8 +128,8 @@ iptables \
-w \
-A HJ-vnet0 \
-p all \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m set \
--match-set tck_test dst,src \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args
b/tests/nwfilterxml2firewalldata/iter1-linux.args
index 9bdad18748..e50c768f67 100644
--- a/tests/nwfilterxml2firewalldata/iter1-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
@@ -6,8 +6,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -28,8 +28,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -50,8 +50,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -72,8 +72,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -94,6 +94,6 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args
b/tests/nwfilterxml2firewalldata/iter2-linux.args
index b088350ee5..7f2b0e4565 100644
--- a/tests/nwfilterxml2firewalldata/iter2-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
@@ -6,8 +6,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
-m dscp \
--dscp 1 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -28,8 +28,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -50,8 +50,8 @@ iptables \
-m dscp \
--dscp 1 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -72,8 +72,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
-m dscp \
--dscp 1 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -94,8 +94,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -105,8 +105,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -116,8 +116,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -127,8 +127,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -138,8 +138,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -149,8 +149,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -160,8 +160,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -171,8 +171,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -182,8 +182,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -193,8 +193,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -204,8 +204,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -215,8 +215,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -226,8 +226,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -237,8 +237,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -248,8 +248,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -259,8 +259,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -270,8 +270,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -281,8 +281,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -292,8 +292,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -304,8 +304,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -316,8 +316,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -328,8 +328,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -340,8 +340,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -352,8 +352,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -364,8 +364,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -376,8 +376,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -388,8 +388,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -400,8 +400,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -412,8 +412,8 @@ iptables \
--dscp 3 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -424,8 +424,8 @@ iptables \
--dscp 3 \
--dport 90 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -436,8 +436,8 @@ iptables \
--dscp 3 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -448,8 +448,8 @@ iptables \
--dscp 3 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -460,8 +460,8 @@ iptables \
--dscp 3 \
--dport 90 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -472,8 +472,8 @@ iptables \
--dscp 3 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -484,8 +484,8 @@ iptables \
--dscp 3 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -496,8 +496,8 @@ iptables \
--dscp 3 \
--dport 90 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -508,8 +508,8 @@ iptables \
--dscp 3 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -520,8 +520,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -532,8 +532,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -544,8 +544,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -556,8 +556,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -568,8 +568,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -580,8 +580,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -592,8 +592,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -604,8 +604,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -616,8 +616,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -628,8 +628,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -640,8 +640,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -652,8 +652,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -664,8 +664,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -676,8 +676,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -688,8 +688,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -700,8 +700,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -712,8 +712,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -724,8 +724,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -736,8 +736,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -748,8 +748,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -760,8 +760,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -772,8 +772,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -784,8 +784,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -796,8 +796,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -808,8 +808,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -820,8 +820,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -832,8 +832,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -844,8 +844,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -856,8 +856,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -868,8 +868,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -880,8 +880,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -892,8 +892,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -904,8 +904,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -916,8 +916,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -928,8 +928,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1080 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -940,8 +940,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1080 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -952,8 +952,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -964,8 +964,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -976,8 +976,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -988,8 +988,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1000,8 +1000,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1012,8 +1012,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1024,8 +1024,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1036,8 +1036,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1048,8 +1048,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1060,8 +1060,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1072,8 +1072,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1084,8 +1084,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1096,8 +1096,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1108,8 +1108,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1120,8 +1120,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1132,8 +1132,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1144,8 +1144,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1090 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1156,8 +1156,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1090 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1168,8 +1168,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1180,8 +1180,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1192,8 +1192,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1204,8 +1204,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1216,8 +1216,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1228,8 +1228,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1240,8 +1240,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1252,8 +1252,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1264,8 +1264,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1276,8 +1276,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1288,8 +1288,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1300,8 +1300,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1312,8 +1312,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1324,8 +1324,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1336,8 +1336,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1348,8 +1348,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1360,8 +1360,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1372,8 +1372,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1384,8 +1384,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1396,8 +1396,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1408,8 +1408,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1420,8 +1420,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1432,8 +1432,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1444,8 +1444,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1456,8 +1456,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1468,8 +1468,8 @@ iptables \
--dscp 4 \
--dport 80 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1480,8 +1480,8 @@ iptables \
--dscp 4 \
--sport 80 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1492,8 +1492,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1504,8 +1504,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1516,8 +1516,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1528,8 +1528,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1540,8 +1540,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1552,8 +1552,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1564,8 +1564,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1576,8 +1576,8 @@ iptables \
--dscp 4 \
--dport 90 \
--sport 1110 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1588,8 +1588,8 @@ iptables \
--dscp 4 \
--sport 90 \
--dport 1110 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1599,8 +1599,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1610,8 +1610,8 @@ iptables \
--source 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1621,8 +1621,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1632,8 +1632,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1643,8 +1643,8 @@ iptables \
--source 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1654,8 +1654,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1665,8 +1665,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1676,8 +1676,8 @@ iptables \
--source 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1687,8 +1687,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1698,8 +1698,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1709,8 +1709,8 @@ iptables \
--source 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1720,8 +1720,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1731,8 +1731,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1742,8 +1742,8 @@ iptables \
--source 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1753,8 +1753,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1764,8 +1764,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1775,8 +1775,8 @@ iptables \
--source 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1786,8 +1786,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1797,8 +1797,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1808,8 +1808,8 @@ iptables \
--source 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1819,8 +1819,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1830,8 +1830,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1841,8 +1841,8 @@ iptables \
--source 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1852,8 +1852,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1863,8 +1863,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1874,8 +1874,8 @@ iptables \
--source 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1885,8 +1885,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 5 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1896,8 +1896,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 6 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1907,8 +1907,8 @@ iptables \
--source 1.1.1.1 \
-m dscp \
--dscp 6 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1918,8 +1918,8 @@ iptables \
--destination 1.1.1.1 \
-m dscp \
--dscp 6 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1929,8 +1929,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 6 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1940,8 +1940,8 @@ iptables \
--source 2.2.2.2 \
-m dscp \
--dscp 6 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1951,8 +1951,8 @@ iptables \
--destination 2.2.2.2 \
-m dscp \
--dscp 6 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1962,8 +1962,8 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 6 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -1973,8 +1973,8 @@ iptables \
--source 3.3.3.3 \
-m dscp \
--dscp 6 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -1984,6 +1984,6 @@ iptables \
--destination 3.3.3.3 \
-m dscp \
--dscp 6 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args
b/tests/nwfilterxml2firewalldata/iter3-linux.args
index cc6d442c75..1bc769bcd4 100644
--- a/tests/nwfilterxml2firewalldata/iter3-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
@@ -6,8 +6,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
-m dscp \
--dscp 1 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -28,8 +28,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -50,8 +50,8 @@ iptables \
-m dscp \
--dscp 1 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
-m dscp \
--dscp 1 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -72,8 +72,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -94,8 +94,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -105,8 +105,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -116,8 +116,8 @@ iptables \
-m dscp \
--dscp 2 \
--dport 90 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -127,8 +127,8 @@ iptables \
-m dscp \
--dscp 2 \
--sport 90 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -139,8 +139,8 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -151,8 +151,8 @@ iptables \
--dscp 3 \
--dport 80 \
--sport 1100 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -163,6 +163,6 @@ iptables \
--dscp 3 \
--sport 80 \
--dport 1100 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
index 086c11ca52..55b2b10037 100644
--- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
@@ -7,8 +7,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -17,8 +17,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -29,8 +29,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -41,8 +41,8 @@ ip6tables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -55,8 +55,8 @@ ip6tables \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -67,8 +67,8 @@ ip6tables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -79,8 +79,8 @@ ip6tables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -93,8 +93,8 @@ ip6tables \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -105,6 +105,6 @@ ip6tables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args
b/tests/nwfilterxml2firewalldata/sctp-linux.args
index a3c5a7a72d..881f70ed72 100644
--- a/tests/nwfilterxml2firewalldata/sctp-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -41,8 +41,8 @@ iptables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -55,8 +55,8 @@ iptables \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -67,8 +67,8 @@ iptables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -79,8 +79,8 @@ iptables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -93,8 +93,8 @@ iptables \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -105,6 +105,6 @@ iptables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/target-linux.args
b/tests/nwfilterxml2firewalldata/target-linux.args
index abb01debf9..54d97307d9 100644
--- a/tests/nwfilterxml2firewalldata/target-linux.args
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
@@ -49,8 +49,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'accept rule -- dir out' \
-j RETURN
@@ -61,8 +61,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'accept rule -- dir out' \
-j ACCEPT
@@ -75,8 +75,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'accept rule -- dir out' \
-j RETURN
@@ -155,8 +155,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'accept rule -- dir in' \
-j RETURN
@@ -169,8 +169,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'accept rule -- dir in' \
-j ACCEPT
@@ -181,8 +181,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-m comment \
--comment 'accept rule -- dir in' \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args
b/tests/nwfilterxml2firewalldata/target2-linux.args
index c774f6f24a..915f1ebb2b 100644
--- a/tests/nwfilterxml2firewalldata/target2-linux.args
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
@@ -21,24 +21,24 @@ iptables \
-A FJ-vnet0 \
-p tcp \
--sport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p tcp \
--dport 80 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p tcp \
--sport 80 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
index 50b5514a3b..9463d5a4c4 100644
--- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
@@ -7,8 +7,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -17,8 +17,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -29,8 +29,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -41,8 +41,8 @@ ip6tables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -55,8 +55,8 @@ ip6tables \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -67,8 +67,8 @@ ip6tables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -79,8 +79,8 @@ ip6tables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -93,8 +93,8 @@ ip6tables \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -105,6 +105,6 @@ ip6tables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args
b/tests/nwfilterxml2firewalldata/tcp-linux.args
index 74ac4a6733..ae2d05a753 100644
--- a/tests/nwfilterxml2firewalldata/tcp-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
index 6feec12a04..1df20ae139 100644
--- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
@@ -7,8 +7,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -17,8 +17,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -29,8 +29,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -41,8 +41,8 @@ ip6tables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -55,8 +55,8 @@ ip6tables \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -67,8 +67,8 @@ ip6tables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -79,8 +79,8 @@ ip6tables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -93,8 +93,8 @@ ip6tables \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -105,6 +105,6 @@ ip6tables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args
b/tests/nwfilterxml2firewalldata/udp-linux.args
index 32a8f56dfc..0a04a636ae 100644
--- a/tests/nwfilterxml2firewalldata/udp-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -41,8 +41,8 @@ iptables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -55,8 +55,8 @@ iptables \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -67,8 +67,8 @@ iptables \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -79,8 +79,8 @@ iptables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -93,8 +93,8 @@ iptables \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -105,6 +105,6 @@ iptables \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
index 6be6aa0069..4c1d254ba8 100644
--- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
@@ -8,8 +8,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -19,8 +19,8 @@ ip6tables \
--source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -32,8 +32,8 @@ ip6tables \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -42,8 +42,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -54,8 +54,8 @@ ip6tables \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -64,8 +64,8 @@ ip6tables \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -74,8 +74,8 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
ip6tables \
-w \
@@ -86,8 +86,8 @@ ip6tables \
--source ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-w \
@@ -96,6 +96,6 @@ ip6tables \
--destination ::ffff:10.1.2.3/128 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args
b/tests/nwfilterxml2firewalldata/udplite-linux.args
index 8f3a9e8f24..7e85aaf15d 100644
--- a/tests/nwfilterxml2firewalldata/udplite-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
@@ -7,8 +7,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -17,8 +17,8 @@ iptables \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -29,8 +29,8 @@ iptables \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -39,8 +39,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -51,8 +51,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -61,8 +61,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -71,8 +71,8 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
iptables \
-w \
@@ -83,8 +83,8 @@ iptables \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
-j ACCEPT
iptables \
-w \
@@ -93,6 +93,6 @@ iptables \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--m state \
---state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
-j RETURN
--
2.35.1