netfilter buglog - Jun 2020 - [Bug 1436] New: nf_conntrack_update fails in fedora kernels 5.6.16 and 5.6.18

https://bugzilla.netfilter.org/show_bug.cgi?id=1436

            Bug ID: 1436
           Summary: nf_conntrack_update fails in fedora kernels 5.6.16 and
                    5.6.18
           Product: netfilter/iptables
           Version: linux-2.6.x
          Hardware: x86_64
                OS: Fedora
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nf_conntrack
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: rce-dev at protonmail.com

Created attachment 596
  --> https://bugzilla.netfilter.org/attachment.cgi?id=596&action=edit
dmesg showing failures

To begin, I do not know if this is a kernel issue or a netfilter issue.
The same version of netfilter functions properly under kernel
5.6.15-200.fc31.x86_64 but fails under later kernels

Starting suricata fails with the log entry: 
[ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed
14/6/2020  09:06:14 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] -
nfq
thread failed to initialize

Suricata is run as an inline IPS:
/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
-v -D -q 1 -q 2 -q 3

suricata-4.1.6-1.fc31.x86_64 uses nftables-0.9.1-3.fc31.x86_64
nftables example:
   chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" counter packets 22486 bytes 4101987 queue
num 1-3
fanout
   .
   .
   .
   }

I've attached dmesg output which shows failures of suricata run
(squentially)
with q1-3 and then with a single q4.

`cat /proc/net/netfilter/nfnetlink_queue`
    1   1286     0 2 65531     0     0      390  1
    2 2382334644     0 2 65531     0     0      413  1
    4   3099     0 2 65531     0     0      259  1


snort fails with:
FATAL ERROR:  Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue
creation failed

snort-2.9.16-1.fc31.x86_64 uses iptables-1.8.3-7.fc31.x86_64
example:
   iptables -A OUTPUT -s 127.0.0.1/32 -j NFQUEUE --queue-num 1


OS is Fedora fc31

This may not be proper etiquette, but I've also reported this on
https://bugzilla.redhat.com/show_bug.cgi?id=1846809

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200622/0febbba9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1436

rce-dev at protonmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|linux-2.6.x                 |unspecified

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200622/d283c1c5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1436

--- Comment #1 from rce-dev at protonmail.com ---
Created attachment 597
  --> https://bugzilla.netfilter.org/attachment.cgi?id=597&action=edit
kernel 5.6.19 reporter-print (1) output

kernel 5.6.19 reporter-print (1) output

This bug makes it impossible to run an IPS process under kernels 5.6.16-19.

Bug is still present in 5.6.19;
IPS is run with:
/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
-v -D -q 1 -q 2 -q 3

IPS is able to pass small packets (ie echo, echo-reply) but kernel oops occurs
under increased network activity such as opening a web page.

It appears that an oops occurs with attempt of IPS to use each of the NFQUEUEs
1-3. Once an oops occurs, IPS traffic is blocked - IPS useless.

Restarting IPS results in failure to open previously used queues:
<Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed

An IPS process can open previously unused queues (ie q4) but with the same
ultimate result.


The most recently attached file is the 3rd of 3 oops events corresponding with
an attempt to open a web page. These events resulted in blocking all subsequent
traffic from the IPS process.

Note that each oops references a very short-lived tainted process which I've
been unable to identify with `ps -e` run at `sleep 1e-03` interval.
first oops:
CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64 #1
[  109.483740] CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64
#1
[  110.064602] CPU: 3 PID: 14851 Comm: TX#02 Tainted: G      D          
5.6.19-200.fc31.x86_64 #1
2nd oops:
kernel_tainted_long: D - Kernel has oopsed before
 3 PID: 14851 Comm: TX#02 Tainted: G      D           5.6.19-200.fc31.x86_64 #1
[  109.483740] CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64
#1
[  110.064602] CPU: 3 PID: 14851 Comm: TX#02 Tainted: G      D           
5.6.19-200.fc31.x86_64 #1
3rd oops
kernel_tainted_long: D - Kernel has oopsed before
/var/tmp/ProblemReport-C-5.6.19-200.fc31.txt::CPU: 3 PID: 14849 Comm: TX#00
Tainted: G      D           5.6.19-200.fc31.x86_64 #1
[  109.483740] CPU: 1 PID: 14850 Comm: TX#01 Not tainted 5.6.19-200.fc31.x86_64
#1
[  110.064602] CPU: 3 PID: 14851 Comm: TX#02 Tainted: G      D          
5.6.19-200.fc31.x86_64 #1
[  124.498896] CPU: 3 PID: 14849 Comm: TX#00 Tainted: G      D          
5.6.19-200.fc31.x86_64 #1

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200624/144bb88d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1436

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |pablo at netfilter.org

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I have submitted a patch to fix this:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200701123435.1806-1-pablo
at netfilter.org/

Thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200701/8d1c4ec1/attachment-0001.html>