procps starts too early to correctly set net.netfilter.nf_conntrack_acct

I've hit a similar problem, though it's net.bridge.bridge-nf-call-iptables that I care about.

It's not because it's running too early though, it's not running at all. I confirmed this by adding some echos to a log file to the script in /etc/init/procps.conf. It appears to be broken in both karmic and maverick. I think this must be an upstart or mountall bug.

@David,

I just found a workaround for the net.bridge.bridge-nf-call-*tables values. You need to add the bridge module to /etc/modules and run update-initramfs :

echo "bridge" >> /etc/modules
update-initramfs -k all -u

This works because the bridge module is responsible to create the sysctl keys once loaded. Having the module included in the initrd makes sure the keys will exist when procps upstart job is run.

I haven't test for the net.netfilter.nf_conntrack_acct key but I think that including the nf_conntrack module to /etc/modules would fix this too.

Instead of using the previous workaround I modified /etc/init/procps.conf and added /etc/init/procps-net.conf. With the modified and the new files everything is working (including net.netfilter.nf_conntrack_acct) without needing to add modules to the initrd.

Ok, looks like we're hitting different bugs. For me, on karmic at least the procps.conf script is not being run *at all*.

@David,

Maybe adding a "post-up" command to your bridge configuration in /etc/network/interfaces would help. Here is an example :

# The primary network interface
auto br0
iface br0 inet static
    address 172.16.20.1
    netmask 255.255.255.0
    gateway 172.16.20.2

    # Workaround for upstart problem
    post-up /sbin/sysctl -p /etc/sysctl.d/60-bridge-firewalling.conf

I confirm, I have the same problem and the following setting is not applied:
net.ipv4.netfilter.ip_conntrack_max=1548576

@Arkadiy

As a workaround you you install the /etc/init/procps.conf and /etc/init/procps-net.conf from comments #3 and #4.

This is an issue with the procps package, not Upstart.

This issue is related to bug 771372.

@James, since the latest packages uploaded to lucid-proposed for bug 771372, the problem is fixed. Many thanks.

Marking as "fix released" as the -updates package fixes the issue on Lucid.

i still have a problem that net.ipv4.netfilter.ip_conntrack_max are not applying

I'd like to second that, still having this on Ubuntu server 12.04 LTS.

Could not find a way to edit comments but I'd like to retract comment #14. In my case it was first touching any iptables related stuff in rc.local which seems to be executed later then procps. I am now force loading the related module 'nf_conntrack_ipv4' in /etc/modules which makes the sysctl.d settings being properly applied on next boot.

This was one of the most confusing system configuration related bugs I have ever had to chase. Hopefully there is some way (I know this is not easy) to make this whole process better in the future :)