I have checked that ip_conntrack_ftp is working fine under the current stable OpenVZ kernel (RHEL6-based, 2.6.32).Apparently, it was fixed in 2.6.27 OpenVZ kernel in May 2010 (http://git.openvz . org/?p=linux-2.6.27-openvz;a=commit;h=b1a1a2481d6ecf5843104f81b2c334bc0eb3c1f2 <-- remove spaces between openvz and org to view the link)Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module
is currently broken you have to open a PASV port hole in iptables for
incoming FTP connections to work correctly. See the csf readme.txt
under 'A note about FTP Connection Issues' on how to do this.
That makes this warning useless. More to say, it forces people to create less secure setup by opening a passive port range.
I suggest to modify the check to take kernel version number into account and disable the warning for 2.6.x and 3.y kernels (where x > 27 and y is any number).