nwfilter: drop support for legacy iptables match syntax

Long ago we adapted to iptables changes by introducing support for '-m conntrack': commit 06844ccbaa Author: Stefan Berger <stefanb@us.ibm.com> Date: Tue Aug 6 20:30:46 2013 -0400 nwfilter: Use -m conntrack rather than -m state Since iptables version 1.4.16 '-m state --state NEW' is converted to '-m conntrack --ctstate NEW'. Therefore, when encountering this or later versions of iptables use '-m conntrack --ctstate'. Given our supported platform targets, we no longer need to consider a version of iptables before 1.4.16, so can drop support for the old syntax. The test suite updates are triggered because that never probed for the new syntax, and so unconditionally generated the old syntax. Reviewed-by: Laine Stump <laine@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2024-12-22 05:35:25 +00:00 · 2022-02-25 16:24:21 +00:00 · 2022-02-25 16:24:21 +00:00 · 02b8045517
commit 02b8045517
parent 7aec69b7fb
32 changed files with 806 additions and 871 deletions
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@ -88,8 +88,6 @@ static enum ctdirStatus iptables_ctdir_corrected;
 #define PRINT_IPT_ROOT_CHAIN(buf, prefix, ifname) \
    g_snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)

-static bool newMatchState;
-
 #define MATCH_PHYSDEV_IN_FW   "-m", "physdev", "--physdev-in"
 #define MATCH_PHYSDEV_OUT_FW  "-m", "physdev", "--physdev-is-bridged", "--physdev-out"
 #define MATCH_PHYSDEV_OUT_OLD_FW  "-m", "physdev", "--physdev-out"
@ -1489,16 +1487,10 @@ _iptablesCreateRuleInstance(virFirewall *fw,
    }

    if (match && !skipMatch) {
-        if (newMatchState)
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "-m", "conntrack",
-                                      "--ctstate", match,
-                                      NULL);
-        else
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "-m", "state",
-                                      "--state", match,
-                                      NULL);
+        virFirewallRuleAddArgList(fw, fwrule,
+                                  "-m", "conntrack",
+                                  "--ctstate", match,
+                                  NULL);
    }

    if (defMatch && match != NULL && !skipMatch && !hasICMPType)
@ -3668,61 +3660,6 @@ ebiptablesDriverProbeCtdir(void)
 }


-static int
-ebiptablesDriverProbeStateMatchQuery(virFirewall *fw G_GNUC_UNUSED,
-                                     virFirewallLayer layer G_GNUC_UNUSED,
-                                     const char *const *lines,
-                                     void *opaque)
-{
-    unsigned long *version = opaque;
-    char *tmp;
-
-    if (!lines || !lines[0]) {
-        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                       _("No output from iptables --version"));
-        return -1;
-    }
-
-    /*
-     * we expect output in the format
-     * 'iptables v1.4.16'
-     */
-    if (!(tmp = strchr(lines[0], 'v')) ||
-        virStringParseVersion(version, tmp + 1, true) < 0) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("Cannot parse version string '%s'"),
-                       lines[0]);
-        return -1;
-    }
-
-    return 0;
-}
-
-
-static int
-ebiptablesDriverProbeStateMatch(void)
-{
-    unsigned long version;
-    g_autoptr(virFirewall) fw = virFirewallNew();
-
-    virFirewallStartTransaction(fw, 0);
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
-                           false, ebiptablesDriverProbeStateMatchQuery, &version,
-                           "--version", NULL);
-
-    if (virFirewallApply(fw) < 0)
-        return -1;
-
-    /*
-     * since version 1.4.16 '-m state --state ...' will be converted to
-     * '-m conntrack --ctstate ...'
-     */
-    if (version >= 1 * 1000000 + 4 * 1000 + 16)
-        newMatchState = true;
-
-    return 0;
-}
-
 static int
 ebiptablesDriverInit(bool privileged)
 {
@ -3730,8 +3667,6 @@ ebiptablesDriverInit(bool privileged)
        return 0;

    ebiptablesDriverProbeCtdir();
-    if (ebiptablesDriverProbeStateMatch() < 0)
-        return -1;

    ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;

--- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
@ -8,8 +8,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -19,8 +19,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -32,8 +32,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -42,8 +42,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -54,8 +54,8 @@ ip6tables \
 --source a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -64,8 +64,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -74,8 +74,8 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -86,8 +86,8 @@ ip6tables \
 --source ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -96,6 +96,6 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/ah-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -51,8 +51,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -71,8 +71,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -93,6 +93,6 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
@ -8,8 +8,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -19,8 +19,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -32,8 +32,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -42,8 +42,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -54,8 +54,8 @@ ip6tables \
 --source a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -64,8 +64,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -74,8 +74,8 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -86,8 +86,8 @@ ip6tables \
 --source ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -96,6 +96,6 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/all-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -51,8 +51,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -71,8 +71,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -93,6 +93,6 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/comment-linux.args
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
@ -55,8 +55,8 @@ iptables \
 --dscp 34 \
 --sport 291:400 \
 --dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'udp rule' \
 -j RETURN
@ -69,8 +69,8 @@ iptables \
 --dscp 34 \
 --dport 291:400 \
 --sport 564:1092 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'udp rule' \
 -j ACCEPT
@ -85,8 +85,8 @@ iptables \
 --dscp 34 \
 --sport 291:400 \
 --dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'udp rule' \
 -j RETURN
@ -99,8 +99,8 @@ ip6tables \
 --dscp 57 \
 --dport 32:33 \
 --sport 256:4369 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'tcp/ipv6 rule' \
 -j RETURN
@ -115,8 +115,8 @@ ip6tables \
 --dscp 57 \
 --sport 32:33 \
 --dport 256:4369 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'tcp/ipv6 rule' \
 -j ACCEPT
@ -129,8 +129,8 @@ ip6tables \
 --dscp 57 \
 --dport 32:33 \
 --sport 256:4369 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'tcp/ipv6 rule' \
 -j RETURN
@ -138,8 +138,8 @@ ip6tables \
 -w \
 -A FJ-vnet0 \
 -p udp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3   spaces'\''' \
 -j RETURN
@ -147,8 +147,8 @@ ip6tables \
 -w \
 -A FP-vnet0 \
 -p udp \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3   spaces'\''' \
 -j ACCEPT
@ -156,8 +156,8 @@ ip6tables \
 -w \
 -A HJ-vnet0 \
 -p udp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3   spaces'\''' \
 -j RETURN
@ -165,8 +165,8 @@ ip6tables \
 -w \
 -A FJ-vnet0 \
 -p sctp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'comment with lone '\'', `, ", `, \, $x, and two  spaces' \
 -j RETURN
@ -174,8 +174,8 @@ ip6tables \
 -w \
 -A FP-vnet0 \
 -p sctp \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'comment with lone '\'', `, ", `, \, $x, and two  spaces' \
 -j ACCEPT
@ -183,8 +183,8 @@ ip6tables \
 -w \
 -A HJ-vnet0 \
 -p sctp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'comment with lone '\'', `, ", `, \, $x, and two  spaces' \
 -j RETURN
@ -192,8 +192,8 @@ ip6tables \
 -w \
 -A FJ-vnet0 \
 -p ah \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \
 -j RETURN
@ -201,8 +201,8 @@ ip6tables \
 -w \
 -A FP-vnet0 \
 -p ah \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \
 -j ACCEPT
@ -210,8 +210,8 @@ ip6tables \
 -w \
 -A HJ-vnet0 \
 -p ah \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/conntrack-linux.args
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
@ -30,20 +30,20 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
@ -8,8 +8,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -19,8 +19,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -32,8 +32,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -42,8 +42,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -54,8 +54,8 @@ ip6tables \
 --source a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -64,8 +64,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -74,8 +74,8 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -86,8 +86,8 @@ ip6tables \
 --source ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -96,6 +96,6 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/esp-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -51,8 +51,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -71,8 +71,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -93,6 +93,6 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/example-1-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
@ -3,66 +3,66 @@ iptables \
 -A FJ-vnet0 \
 -p tcp \
 --sport 22 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FP-vnet0 \
 -p tcp \
 --dport 22 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A HJ-vnet0 \
 -p tcp \
 --sport 22 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FJ-vnet0 \
 -p icmp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FP-vnet0 \
 -p icmp \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A HJ-vnet0 \
 -p icmp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
--- a/tests/nwfilterxml2firewalldata/example-2-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.args
@ -2,8 +2,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED,RELATED \
+-m conntrack \
+--ctstate ESTABLISHED,RELATED \
 -m comment \
 --comment 'out: existing and related (ftp) connections' \
 -j RETURN
@ -11,8 +11,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED,RELATED \
+-m conntrack \
+--ctstate ESTABLISHED,RELATED \
 -m comment \
 --comment 'out: existing and related (ftp) connections' \
 -j RETURN
@ -20,8 +20,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'in: existing connections' \
 -j ACCEPT
@ -30,8 +30,8 @@ iptables \
 -A FP-vnet0 \
 -p tcp \
 --dport 21:22 \
-m state \
--state NEW \
+-m conntrack \
+--ctstate NEW \
 -m comment \
 --comment 'in: ftp and ssh' \
 -j ACCEPT
@ -39,8 +39,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p icmp \
-m state \
--state NEW \
+-m conntrack \
+--ctstate NEW \
 -m comment \
 --comment 'in: icmp' \
 -j ACCEPT
@ -49,8 +49,8 @@ iptables \
 -A FJ-vnet0 \
 -p udp \
 --dport 53 \
-m state \
--state NEW \
+-m conntrack \
+--ctstate NEW \
 -m comment \
 --comment 'out: DNS lookups' \
 -j RETURN
@ -59,8 +59,8 @@ iptables \
 -A HJ-vnet0 \
 -p udp \
 --dport 53 \
-m state \
--state NEW \
+-m conntrack \
+--ctstate NEW \
 -m comment \
 --comment 'out: DNS lookups' \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/hex-data-linux.args
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
@ -55,8 +55,8 @@ iptables \
 --dscp 34 \
 --sport 291:400 \
 --dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -67,8 +67,8 @@ iptables \
 --dscp 34 \
 --dport 291:400 \
 --sport 564:1092 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -81,8 +81,8 @@ iptables \
 --dscp 34 \
 --sport 291:400 \
 --dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -93,8 +93,8 @@ ip6tables \
 --dscp 57 \
 --dport 32:33 \
 --sport 256:4369 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -107,8 +107,8 @@ ip6tables \
 --dscp 57 \
 --sport 32:33 \
 --dport 256:4369 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -119,6 +119,6 @@ ip6tables \
 --dscp 57 \
 --dport 32:33 \
 --sport 256:4369 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
@ -3,24 +3,24 @@ iptables \
 -A FP-vnet0 \
 -p icmp \
 --icmp-type 0 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A FJ-vnet0 \
 -p icmp \
 --icmp-type 8 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A HJ-vnet0 \
 -p icmp \
 --icmp-type 8 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
--- a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
@ -3,24 +3,24 @@ iptables \
 -A FP-vnet0 \
 -p icmp \
 --icmp-type 8 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A FJ-vnet0 \
 -p icmp \
 --icmp-type 0 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A HJ-vnet0 \
 -p icmp \
 --icmp-type 0 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
--- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
@ -2,22 +2,22 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p icmp \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FP-vnet0 \
 -p icmp \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A HJ-vnet0 \
 -p icmp \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
--- a/tests/nwfilterxml2firewalldata/icmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.args
@ -8,8 +8,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --icmp-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -21,8 +21,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --icmp-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -34,6 +34,6 @@ iptables \
 -m dscp \
 --dscp 33 \
 --icmp-type 255/255 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
--- a/tests/nwfilterxml2firewalldata/icmpv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
@ -9,8 +9,8 @@ ip6tables \
 -m dscp \
 --dscp 2 \
 --icmpv6-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -23,8 +23,8 @@ ip6tables \
 -m dscp \
 --dscp 2 \
 --icmpv6-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -36,8 +36,8 @@ ip6tables \
 -m dscp \
 --dscp 33 \
 --icmpv6-type 255/255 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -49,6 +49,6 @@ ip6tables \
 -m dscp \
 --dscp 33 \
 --icmpv6-type 255/255 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
--- a/tests/nwfilterxml2firewalldata/igmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -51,8 +51,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -71,8 +71,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -93,6 +93,6 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/ipset-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@ -2,8 +2,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst \
 -j RETURN
@ -11,8 +11,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src \
 -j ACCEPT
@ -20,8 +20,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst \
 -j RETURN
@ -56,8 +56,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@ -65,8 +65,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst,src \
 -j ACCEPT
@ -74,8 +74,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@ -83,8 +83,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@ -92,8 +92,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst,src \
 -j ACCEPT
@ -101,8 +101,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@ -110,8 +110,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src \
 -j RETURN
@ -119,8 +119,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst \
 -j ACCEPT
@ -128,8 +128,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/iter1-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
@ -6,8 +6,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --dport 80 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -28,8 +28,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 90 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -50,8 +50,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --dport 90 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 90 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -72,8 +72,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --dport 80 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -94,6 +94,6 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/iter2-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
--- a/tests/nwfilterxml2firewalldata/iter3-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
@ -6,8 +6,8 @@ iptables \
 -m dscp \
 --dscp 1 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 -m dscp \
 --dscp 1 \
 --dport 80 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -28,8 +28,8 @@ iptables \
 -m dscp \
 --dscp 1 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 -m dscp \
 --dscp 1 \
 --sport 90 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -50,8 +50,8 @@ iptables \
 -m dscp \
 --dscp 1 \
 --dport 90 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 -m dscp \
 --dscp 1 \
 --sport 90 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -72,8 +72,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --dport 80 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -94,8 +94,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -105,8 +105,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 90 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -116,8 +116,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --dport 90 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -127,8 +127,8 @@ iptables \
 -m dscp \
 --dscp 2 \
 --sport 90 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -139,8 +139,8 @@ iptables \
 --dscp 3 \
 --sport 80 \
 --dport 1100 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -151,8 +151,8 @@ iptables \
 --dscp 3 \
 --dport 80 \
 --sport 1100 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -163,6 +163,6 @@ iptables \
 --dscp 3 \
 --sport 80 \
 --dport 1100 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
@ -7,8 +7,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -17,8 +17,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -29,8 +29,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -41,8 +41,8 @@ ip6tables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -55,8 +55,8 @@ ip6tables \
 --dscp 33 \
 --sport 20:21 \
 --dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -67,8 +67,8 @@ ip6tables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -79,8 +79,8 @@ ip6tables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -93,8 +93,8 @@ ip6tables \
 --dscp 63 \
 --sport 255:256 \
 --dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -105,6 +105,6 @@ ip6tables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/sctp-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -41,8 +41,8 @@ iptables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -55,8 +55,8 @@ iptables \
 --dscp 33 \
 --sport 20:21 \
 --dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -67,8 +67,8 @@ iptables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -79,8 +79,8 @@ iptables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -93,8 +93,8 @@ iptables \
 --dscp 63 \
 --sport 255:256 \
 --dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -105,6 +105,6 @@ iptables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/target-linux.args
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
@ -49,8 +49,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'accept rule -- dir out' \
 -j RETURN
@ -61,8 +61,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'accept rule -- dir out' \
 -j ACCEPT
@ -75,8 +75,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'accept rule -- dir out' \
 -j RETURN
@ -155,8 +155,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'accept rule -- dir in' \
 -j RETURN
@ -169,8 +169,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m comment \
 --comment 'accept rule -- dir in' \
 -j ACCEPT
@ -181,8 +181,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m comment \
 --comment 'accept rule -- dir in' \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/target2-linux.args
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
@ -21,24 +21,24 @@ iptables \
 -A FJ-vnet0 \
 -p tcp \
 --sport 80 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
 -A FP-vnet0 \
 -p tcp \
 --dport 80 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
 -A HJ-vnet0 \
 -p tcp \
 --sport 80 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
--- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
@ -7,8 +7,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -17,8 +17,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -29,8 +29,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -41,8 +41,8 @@ ip6tables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -55,8 +55,8 @@ ip6tables \
 --dscp 33 \
 --sport 20:21 \
 --dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -67,8 +67,8 @@ ip6tables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -79,8 +79,8 @@ ip6tables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -93,8 +93,8 @@ ip6tables \
 --dscp 63 \
 --sport 255:256 \
 --dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -105,6 +105,6 @@ ip6tables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/tcp-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
--- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
@ -7,8 +7,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -17,8 +17,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -29,8 +29,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -41,8 +41,8 @@ ip6tables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -55,8 +55,8 @@ ip6tables \
 --dscp 33 \
 --sport 20:21 \
 --dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -67,8 +67,8 @@ ip6tables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -79,8 +79,8 @@ ip6tables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -93,8 +93,8 @@ ip6tables \
 --dscp 63 \
 --sport 255:256 \
 --dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -105,6 +105,6 @@ ip6tables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/udp-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -41,8 +41,8 @@ iptables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -55,8 +55,8 @@ iptables \
 --dscp 33 \
 --sport 20:21 \
 --dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -67,8 +67,8 @@ iptables \
 --dscp 33 \
 --dport 20:21 \
 --sport 100:1111 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -79,8 +79,8 @@ iptables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -93,8 +93,8 @@ iptables \
 --dscp 63 \
 --sport 255:256 \
 --dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -105,6 +105,6 @@ iptables \
 --dscp 63 \
 --dport 255:256 \
 --sport 65535:65535 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
@ -8,8 +8,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -19,8 +19,8 @@ ip6tables \
 --source a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -32,8 +32,8 @@ ip6tables \
 --destination a:b:c::d:e:f/128 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -42,8 +42,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -54,8 +54,8 @@ ip6tables \
 --source a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -64,8 +64,8 @@ ip6tables \
 --destination a:b:c::/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -74,8 +74,8 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 ip6tables \
 -w \
@ -86,8 +86,8 @@ ip6tables \
 --source ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
 -w \
@ -96,6 +96,6 @@ ip6tables \
 --destination ::ffff:10.1.2.3/128 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
--- a/tests/nwfilterxml2firewalldata/udplite-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
@ -7,8 +7,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -17,8 +17,8 @@ iptables \
 --source 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -29,8 +29,8 @@ iptables \
 --destination 10.1.2.3/32 \
 -m dscp \
 --dscp 2 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -39,8 +39,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -51,8 +51,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -61,8 +61,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -71,8 +71,8 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN
 iptables \
 -w \
@ -83,8 +83,8 @@ iptables \
 --source 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
 -w \
@ -93,6 +93,6 @@ iptables \
 --destination 10.1.2.3/22 \
 -m dscp \
 --dscp 33 \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -j RETURN