TCP Window tracking should be disabled using kernel < 2.6.22 (http://conntrack-tools.netfilter.org/manual.html#sync). Without disabled TCP Window Tracking conntrackd did not start, although running kernel >= 2.6.22. Reproducible: Always Steps to Reproduce: 1. emerge net-firewall/conntrack-tools 2. /etc/init.d/conntrackd start Actual Results: * You need to disable TCP window tracking * Add the following line to your /etc/sysctl.conf: * net.netfilter.nf_conntrack_tcp_be_liberal = 1 * ...and run this to activate the setting: sysctl -q -p * ERROR: conntrackd failed to start Expected Results: * Starting conntrackd [ ok ]
Created attachment 303371 [details, diff] conntrackd.initd-r1.patch init-script-patch borrowing some code from udev-init-script ;)
*** Bug 410091 has been marked as a duplicate of this bug. ***
I ran into the same problem. I really think that the check should just be dropped; this is a marked example of what happens if a runscript tries to be too clever. Consider the following: * The requirement is clearly stated in the upstream documentation * The chances of a Gentoo user wanting to use a kernel older than 2.6.22 are slim * These sorts of checks and balances should be properly reviewed every time the ebuild receives a major version bump - otherwise they do more harm than good and we're better off without them. In my view, it would be more constructive to look at how conntrackd behaves where it is started with window tracking requested *and* a < 2.6.22 kernel running. Does it ignore the window tracking option or refuse to start? Does it log anything? Why, exactly, do we need to hold the user's hand here? If it doesn't behave in a fashion amenable to problem resolution, we can ask Pablo Neira Ayuso to change it for the better. That way everyone benefits and we don't end up with situations such as this one, where the Gentoo package is effectively broken out of the box until - eventually - something gets done. For this particular issue, it hardly seems worth the effort. Nobody in their right mind should be running a production firewall on any kernel older than the currently supported longterm release.
I have followed up on Kerin's suggestion and put a 1.2.2-r1 ebuild in the tree that installs an init.d script with the exclusion of the TCP window tracking check.
using your init-script in our overlay for conntrack-tools-1.0.0 (no time for upgrade-tests now ;)) works fine. Thanks!