diff --git a/firewall/firewall-lib.pl b/firewall/firewall-lib.pl
index 6f82c1bad..1d6cd2853 100755
--- a/firewall/firewall-lib.pl
+++ b/firewall/firewall-lib.pl
@@ -240,11 +240,12 @@ return @rv;
 sub describe_rule
 {
 local (@c, $d);
+my $sd = &supports_conntrack() ? "ctstate" : "state";
 foreach $d ('p', 's', 'd', 'i', 'o', 'f', 'dport',
 	    'sport', 'tcp-flags', 'tcp-option',
 	    'icmp-type', 'icmpv6-type', 'mac-source', 'limit', 'limit-burst',
 	    'ports', 'uid-owner', 'gid-owner',
-	    'pid-owner', 'sid-owner', 'state', 'ctstate', 'tos',
+	    'pid-owner', 'sid-owner', $sd, 'tos',
 	    'dports', 'sports', 'physdev-in', 'physdev-out', 'args') {
 	if ($_[0]->{$d}) {