use conntrack instead of state

Same, but with corrected line wrapping for the manual page.

Confirmed: I am experiencing this bug in Gentoo Linux with ufw-0.33.

However, I downgraded back to ufw-0.31.1 and am still experiencing it, even though I used etc-update to downgrade the config files too.

@up
Thanks for the confirmation. The problem is not specific to version 0.33, but indeed happens also in 0.31.1, for example.

Somehow I missed two occurrences. This one should be complete.

I'm still having a problem, even after installing the latest version:

# ufw enable
ERROR: problem running ufw-init
WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore: line 54 failed
WARNING: The state match is obsolete. Use conntrack instead.
ip6tables-restore: line 40 failed

Problem running '/etc/ufw/user/user.rules'
Problem running '/etc/ufw/user/user6.rules'

#

I have ufw-0.33-r1 re-installed on 6 November 2012 from the Gentoo Portage repository, so it should have S. Nizio's latest patch:

# eix -I ufw
[I] kde-misc/kcm-ufw
     Available versions: (4) (~)0.4.3
        {{aqua debug LINGUAS="en es fr lt"}}
     Installed versions: 0.4.3(4)(09:13:18 22/09/12)(-aqua -debug LINGUAS="en -es -fr -lt")
     Homepage: http://kde-apps.org/content/show.php?content=137789
     Description: KCM module to control the Uncomplicated Firewall

[I] net-firewall/ufw
     Available versions: (~)0.30.1-r2^t[1] (~)0.31.1-r1^t (~)0.33-r1^t {{bash-completion examples ipv6}}
     Installed versions: 0.33-r1^t(17:38:15 06/11/12)(ipv6 -examples)
     Homepage: http://launchpad.net/ufw
     Description: A program used to manage a netfilter firewall

[I] net-firewall/ufw-frontends
     Available versions: (~)0.2.0^m[1] (~)0.3.2
     Installed versions: 0.3.2(09:13:35 22/09/12)
     Homepage: http://code.google.com/p/ufw-frontends/
     Description: Provides graphical frontend to ufw

[1] "local_overlay" /usr/local/portage

Found 3 matches.
#

Ignore my previous comment (Comment #6). I have just uninstalled the package, deleted all the related files I could find, and re-installed it again. This time it works.

Yes, old rules (using state) were still there. Deleting all rules and re-adding them should be enough.

Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691135

Also, there is another, related but different change, this time in kernel (commit a9006892643a8f4e885b692de0708bcb35a7d530), that deprecates automatic helper assignment. Background information:
https://home.regit.org/netfilter-en/secure-use-of-helpers/ .

The patch looks good overall, but get_netfilter_capabilities() needs to be updated and a ton of tests. I am working on that now.

Fix committed to trunk. Thanks for the patch. :)

I'm happy to see that. :) However, please also remember about comment 8, for another change. I don't know if something/what needs to be fixed, but I sometimes get the "Use the iptables CT target to attach helpers instead" message in dmesg (with IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns").