[Bug 1436] New: nf_conntrack_update fails in fedora kernels 5.6.16 and 5.6.18

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Jun 22 20:14:29 CEST 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1436

            Bug ID: 1436
           Summary: nf_conntrack_update fails in fedora kernels 5.6.16 and
                    5.6.18
           Product: netfilter/iptables
           Version: linux-2.6.x
          Hardware: x86_64
                OS: Fedora
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nf_conntrack
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: rce-dev at protonmail.com

Created attachment 596
  --> https://bugzilla.netfilter.org/attachment.cgi?id=596&action=edit
dmesg showing failures

To begin, I do not know if this is a kernel issue or a netfilter issue.
The same version of netfilter functions properly under kernel
5.6.15-200.fc31.x86_64 but fails under later kernels

Starting suricata fails with the log entry: 
[ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed
14/6/2020  09:06:14 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq
thread failed to initialize

Suricata is run as an inline IPS:
/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
-v -D -q 1 -q 2 -q 3

suricata-4.1.6-1.fc31.x86_64 uses nftables-0.9.1-3.fc31.x86_64
nftables example:
   chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" counter packets 22486 bytes 4101987 queue num 1-3
fanout
   .
   .
   .
   }

I've attached dmesg output which shows failures of suricata run (squentially)
with q1-3 and then with a single q4.

`cat /proc/net/netfilter/nfnetlink_queue`
    1   1286     0 2 65531     0     0      390  1
    2 2382334644     0 2 65531     0     0      413  1
    4   3099     0 2 65531     0     0      259  1


snort fails with:
FATAL ERROR:  Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue
creation failed

snort-2.9.16-1.fc31.x86_64 uses iptables-1.8.3-7.fc31.x86_64
example:
   iptables -A OUTPUT -s 127.0.0.1/32 -j NFQUEUE --queue-num 1


OS is Fedora fc31

This may not be proper etiquette, but I've also reported this on
https://bugzilla.redhat.com/show_bug.cgi?id=1846809

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200622/0febbba9/attachment.html>

More information about the netfilter-buglog mailing list