David G. North, CCP

I also am seeing this issue in 1.890. 'uname -r' reports 4.9.0-3-amd64 For me, adding the rules from the shell would render correctly when using "-m state --state ESTABLISHED" but not if using "-m conntrack --ctstate ESTABLISHED" There is a "@known_args" array at around line 24 of firewall4-lib.pl and firewall6-lib.pl which is missing the newly supported '--ctstate' option. I added that option into those array initializers and this problem is resolved locally for me.