--- ./include/linux/netfilter_ipv4/ipt_conntrack.h.old	2007-06-01 16:17:36.000000000 +0100
+++ ./include/linux/netfilter_ipv4/ipt_conntrack.h	2007-06-01 16:18:08.000000000 +0100
@@ -28,6 +28,8 @@
 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
 #define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+#define IPT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
+#define IPT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
 
 /* flags, invflags: */
 #define IPT_CONNTRACK_STATE	0x01
--- ./extensions/libipt_conntrack.man.old	2007-06-01 16:12:43.000000000 +0100
+++ ./extensions/libipt_conntrack.man	2007-06-01 16:14:00.000000000 +0100
@@ -25,6 +25,12 @@
 .B DNAT
 A virtual state, matching if the original destination differs from the
 reply source.
+.B ORIGINAL
+A virtual state, matching if the packet being compared is part of the
+original flow that created the conntrack.
+.B REPLY
+A virtual state, matching if the packet being compared is part of the
+reply flow.
 .TP
 .BI "--ctproto " "proto"
 Protocol to match (by number or name)
--- ./extensions/libipt_conntrack.c.old	2007-06-01 16:14:12.000000000 +0100
+++ ./extensions/libipt_conntrack.c	2007-06-01 16:16:39.000000000 +0100
@@ -24,7 +24,7 @@
 {
 	printf(
 "conntrack match v%s options:\n"
-" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
+" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT|ORIGINAL|REPLY][,...]\n"
 "				State(s) to match\n"
 " [!] --ctproto	proto		Protocol to match; by number or name, eg. `tcp'\n"
 "     --ctorigsrc  [!] address[/mask]\n"
@@ -73,6 +73,10 @@
 		sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT;
 	else if (strncasecmp(state, "DNAT", strlen) == 0)
 		sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT;
+	else if (strncasecmp(state, "ORIGINAL", strlen) == 0)
+		sinfo->statemask |= IPT_CONNTRACK_STATE_ORIGINAL;
+	else if (strncasecmp(state, "REPLY", strlen) == 0)
+		sinfo->statemask |= IPT_CONNTRACK_STATE_REPLY;
 	else
 		return 0;
 	return 1;
@@ -376,6 +380,14 @@
 		printf("%sDNAT", sep);
 		sep = ",";
 	}
+	if (statemask & IPT_CONNTRACK_STATE_ORIGINAL) {
+		printf("%sORIGINAL", sep);
+		sep = ",";
+	}
+	if (statemask & IPT_CONNTRACK_STATE_REPLY) {
+		printf("%sREPLY", sep);
+		sep = ",";
+	}
 	printf(" ");
 }