FWG Log Schema

I'm in the process of ID'ing the log schema used for network traffic by the FWG. In the kernel.log, does anyone have any guidance on the following?

1. key 'D' can have a value of 'I', 'O', or 'W'. Anyone know what this is? I believe it's traffic direction but not sure.
2. for blocked traffic, some 'OUT' (dest interface) values are blank, whereas most blocked traffic have 'br1'. Anyone know why?
3. key 'MARK' (at least in past 24 hrs) can have a value of '0x13', '0x1e', or '0x3d'. What do they mean?
4. sometimes there are multiple 'LEN' k/v's in a single line..why is that?