From 96a19a452174667f47c55f4185cd1c6ec4fb6289 Mon Sep 17 00:00:00 2001
From: Hao <soccerhaotian@hotmail.com>
Date: Wed, 8 Mar 2017 08:01:47 -0800
Subject: [PATCH] iptables module: match=conntrack with ctstate not working
 (#21976)

---
 lib/ansible/modules/system/iptables.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/ansible/modules/system/iptables.py b/lib/ansible/modules/system/iptables.py
index e22328ea8c2..ce6e89c5436 100644
--- a/lib/ansible/modules/system/iptables.py
+++ b/lib/ansible/modules/system/iptables.py
@@ -399,8 +399,15 @@ def construct_rule(params):
         False)
     append_match(rule, params['comment'], 'comment')
     append_param(rule, params['comment'], '--comment', False)
-    append_match(rule, params['ctstate'], 'state')
-    append_csv(rule, params['ctstate'], '--state')
+    if 'conntrack' in params['match']:
+        append_csv(rule, params['ctstate'], '--ctstate')
+    elif 'state' in params['match']:
+        append_csv(rule, params['ctstate'], '--state')
+    elif params['ctstate']:
+        append_match(rule, params['ctstate'], 'conntrack')
+        append_csv(rule, params['ctstate'], '--ctstate')
+    else:
+        return False
     append_match(rule, params['limit'] or params['limit_burst'], 'limit')
     append_param(rule, params['limit'], '--limit', False)
     append_param(rule, params['limit_burst'], '--limit-burst', False)