In equuleus we have two configuration scripts that control the same conntrack settings:
- firewall.init service that creates base structures for a firewall. It also enables NAT helpers and configures conntrack table settings.
- conntrack.py that controls all the conntrack-related settings.
If both of them are configured, conntrack.py has precedence and overrides default settings configured by firewall.init. But if conntrack settings are completely removed from a configuration file, after a system start settings created by firewall.init keep in action.
This breaks CLI configuration. For example, in this situation, NAT helpers will be loaded, even if according to CLI they should not be active.
Conntrack settings should be removed from firewall.init to fix this issue.