Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
===================================================================
--- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h
+++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
@@ -14,6 +14,9 @@
 #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
 #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
 #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+/* match on direction of packet */
+#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
+#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
 
 /* flags, invflags: */
 #define XT_CONNTRACK_STATE	0x01
Index: linux-2.6.17.1/net/netfilter/xt_conntrack.c
===================================================================
--- linux-2.6.17.1.orig/net/netfilter/xt_conntrack.c
+++ linux-2.6.17.1/net/netfilter/xt_conntrack.c
@@ -63,6 +63,11 @@ match(const struct sk_buff *skb,
 			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip !=
 			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip)
 				statebit |= XT_CONNTRACK_STATE_DNAT;
+
+			if(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+				statebit |= XT_CONNTRACK_STATE_ORIGINAL;
+			else
+				statebit |= XT_CONNTRACK_STATE_REPLY;
 		}
 
 		if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
@@ -150,6 +155,11 @@ match(const struct sk_buff *skb,
 			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip !=
 			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip)
 				statebit |= XT_CONNTRACK_STATE_DNAT;
+
+			if(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+				statebit |= XT_CONNTRACK_STATE_ORIGINAL;
+			else
+				statebit |= XT_CONNTRACK_STATE_REPLY;
 		}
 
 		if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))