I'd like to test for TCP flags in a firewall rule. I always *disable* connection tracking and filter based on TCP flags.
So, three things I need:
1. Allow me to disable xt_conntrack kernel module
2. Allow me to do --syn on outbound rules and ! --syn on inbound rules with the service as the source
3. A service can also be a source
Or better yet, combine the last two into the default for stateless filtering for iptables. I don't want anybody with a service source port like 22 (possible!) to connect to all of my services, but I don't want to keep state in my ipv6 firewall.