<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nf_conntrack_update fails in fedora kernels 5.6.16 and 5.6.18"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1436">1436</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nf_conntrack_update fails in fedora kernels 5.6.16 and 5.6.18
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>netfilter/iptables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>linux-2.6.x
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Fedora
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>critical
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nf_conntrack
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>netfilter-buglog@lists.netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>rce-dev@protonmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=596" name="attach_596" title="dmesg showing failures">attachment 596</a> <a href="attachment.cgi?id=596&action=edit" title="dmesg showing failures">[details]</a></span>
dmesg showing failures

To begin, I do not know if this is a kernel issue or a netfilter issue.
The same version of netfilter functions properly under kernel
5.6.15-200.fc31.x86_64 but fails under later kernels

Starting suricata fails with the log entry: 
[ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed
14/6/2020  09:06:14 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq
thread failed to initialize

Suricata is run as an inline IPS:
/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
-v -D -q 1 -q 2 -q 3

suricata-4.1.6-1.fc31.x86_64 uses nftables-0.9.1-3.fc31.x86_64
nftables example:
   chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" counter packets 22486 bytes 4101987 queue num 1-3
fanout
   .
   .
   .
   }

I've attached dmesg output which shows failures of suricata run (squentially)
with q1-3 and then with a single q4.

`cat /proc/net/netfilter/nfnetlink_queue`
    1   1286     0 2 65531     0     0      390  1
    2 2382334644     0 2 65531     0     0      413  1
    4   3099     0 2 65531     0     0      259  1


snort fails with:
FATAL ERROR:  Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue
creation failed

snort-2.9.16-1.fc31.x86_64 uses iptables-1.8.3-7.fc31.x86_64
example:
   iptables -A OUTPUT -s 127.0.0.1/32 -j NFQUEUE --queue-num 1


OS is Fedora fc31

This may not be proper etiquette, but I've also reported this on
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1846809">https://bugzilla.redhat.com/show_bug.cgi?id=1846809</a></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>