missing conntrack library after do-release-upgrade to bionic

Hi.

What happens:
I performed a 'do-release-upgrade' from xenial to bionic. Afterwards, my iptables-restore commands fail to fully restore (IPv4) rules, giving me instead the error:

Can't find library for match `conntrack'

(My IPv6 rules simply block IPv6 altogether, so have no stateful inspection)

One time only so far, after reboot I checked my firewall rules with 'iptables -S' and all rules were loaded, including conntrack matching rules. Every other time (4-5 reboots) it fails, as above. If I remove 'ctstate' rules and use instead '-m state' rules, it still fails with the same error. I'm confused by that, because I don't think my rules rely on any conntrack. The firewall loaded at boot is loaded by firewalld. The iptables-restore files are used only to write a different ruleset when I start my vpn service.

Restarting firewalld does not fix the problem above.

What I expect to happen:
1) firewall rules are correctly restored from file, including conntrack based rules, with no error.
2) do-release-upgrade updates packages correctly, without breaking kernel-based tools
3) firewall rules created at boot by firewalld should consistently work (or consistently break, at least)

What else I have tried (besides rebooting, and restarting the firewalld service):
I have installed every metapackage for the release-upgrade of kernel images, headers, tools, etc. for the upgrade from xenial to bionic, I have installed all the libraries I can find related to iptables, nftables, xtables2, [x|nf]tables-iptables compatibility, etc. etc. I've installed the kernel-modules and kernel modules-extra packages.

I can't figure out what library I might be "missing". Also, the fact that one time all worked fine immediately after reboot tells me I'm probably not actually missing a library. (...at least it loaded the conntrack rules and ctstate rules -- until I tried to load my restore file for my vpn rules, at which point it failed again).

Here are the kernel modules that are loaded as I write, and while I see the above error:

#> lsmod | grep conntrack
nf_conntrack_netbios_ns 16384 2
nf_conntrack_broadcast 16384 1 nf_conntrack_netbios_ns
nf_conntrack_netlink 40960 0
nf_conntrack_ipv6 20480 26
nf_defrag_ipv6 36864 1 nf_conntrack_ipv6
xt_conntrack 16384 49
nf_conntrack_ipv4 16384 28
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_conntrack 131072 12 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv6,nf_conntrack_ipv4,nf_nat,nf_nat_ipv6,ipt_MASQUERADE,nf_conntrack_netbios_ns,nf_nat_ipv4,nf_conntrack_broadcast,nf_conntrack_netlink,xt_CT
nfnetlink 16384 9 nf_conntrack_netlink,nf_tables,ip_set
x_tables 40960 22 ebtables,ip6table_filter,xt_conntrack,ip6table_raw,iptable_filter,iptable_security,ip6t_rpfilter,xt_LOG,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,xt_AUDIT,ip6_tables,xt_mac,ipt_REJECT,xt_CT,iptable_raw,ip_tables,ip6table_mangle,ip6table_security,ip6t_REJECT,iptable_mangle
libcrc32c 16384 3 nf_conntrack,nf_nat,raid456

I've reached the end of what I can think to do to troubleshoot, or get more information about the failure to load the (whatever) library. Can anyone help?

Thanks in advance,
Rich