A new rule passing packets for nether inspection is replacing the old one
that worked only for TCP.
The new rule makes a policy check for a first packet in each network flow, as
seen by the conntrack module. This is done by matching all packets that have
ctstate=NEW (the packet has started a new connection) but not checking those
that have ctstatus=CONFIRMED (connection is confirmed: originating packet has
left box). This rule causes to nether check for each first packet on the flow,
the minimum required for determining whether the connection should be allowed.
For TCP connections, this should work exactly as the old rule. For connection-
less protocols it will check the first packet of the network flow.
Change-Id: Iccbe8febd1568a615d8169123d7f45b4e998a47d
:POSTROUTING ACCEPT [824147:75308906]
-A INPUT -j SECMARK --selctx System
-A OUTPUT -o lo -j ACCEPT
--A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
*filter
:INPUT ACCEPT [927054:2081201095]