From d1fbd9c59d786f38757516b23e47af2974659e5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 27 Mar 2014 17:15:59 +0100
Subject: [PATCH] proxyvm: use "conntrack" iptables module instead of
 deprecated "state"

---
 core-modules/006QubesProxyVm.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/core-modules/006QubesProxyVm.py b/core-modules/006QubesProxyVm.py
index fe956914..e81d09d5 100644
--- a/core-modules/006QubesProxyVm.py
+++ b/core-modules/006QubesProxyVm.py
@@ -126,12 +126,14 @@ class QubesProxyVm(QubesNetVm):
 
         # Strict INPUT rules
         iptables += "-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n"
-        iptables += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+        iptables += "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED " \
+                    "-j ACCEPT\n"
         iptables += "-A INPUT -p icmp -j ACCEPT\n"
         iptables += "-A INPUT -i lo -j ACCEPT\n"
         iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
 
-        iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+        iptables += "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED " \
+                    "-j ACCEPT\n"
         # Allow dom0 networking
         iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
         # Deny inter-VMs networking