All my configs have 4 rules:
accept for Connection State = established
accept for Connection State = related
(for input and forward chains respectively)
after upgrade to latest ROS (for example 6.33.1 -> 6.37.1), I discovered that these rules now without any "Connection State" value!
now its simply "accept all input" and "accept all forward"!
this is a serious security breach!