diff --git a/SOURCES/0001-conntrack-don-t-cancel-nest-on-unknown-layer-4-proto.patch b/SOURCES/0001-conntrack-don-t-cancel-nest-on-unknown-layer-4-proto.patch
new file mode 100644
index 0000000..47a61d9
--- /dev/null
+++ b/SOURCES/0001-conntrack-don-t-cancel-nest-on-unknown-layer-4-proto.patch
@@ -0,0 +1,32 @@
+From f94ca582531980f86fc2ffed9f1f55f7172e83f8 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 10 Dec 2021 12:18:23 +0100
+Subject: [PATCH] conntrack: don't cancel nest on unknown layer 4 protocols
+
+It is valid to specify CTA_PROTO_NUM with a protocol that is not
+natively supported by conntrack. Do not cancel the CTA_TUPLE_PROTO
+nest in this case.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 45ec4b51e8290759e0d87d9405965be1352a4325)
+---
+ src/conntrack/build_mnl.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/conntrack/build_mnl.c b/src/conntrack/build_mnl.c
+index d9ad268cb8900..979c0c7e995a3 100644
+--- a/src/conntrack/build_mnl.c
++++ b/src/conntrack/build_mnl.c
+@@ -73,8 +73,7 @@ nfct_build_tuple_proto(struct nlmsghdr *nlh, const struct __nfct_tuple *t)
+ 		mnl_attr_put_u16(nlh, CTA_PROTO_ICMPV6_ID, t->l4src.icmp.id);
+ 		break;
+ 	default:
+-		mnl_attr_nest_cancel(nlh, nest);
+-		return -1;
++		break;
+ 	}
+ 	mnl_attr_nest_end(nlh, nest);
+ 	return 0;
+-- 
+2.38.0
+
diff --git a/SPECS/libnetfilter_conntrack.spec b/SPECS/libnetfilter_conntrack.spec
index bbda942..5bdc7e6 100644
--- a/SPECS/libnetfilter_conntrack.spec
+++ b/SPECS/libnetfilter_conntrack.spec
@@ -1,11 +1,13 @@
 Name:           libnetfilter_conntrack
 Version:        1.0.8
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Netfilter conntrack userspace library
 License:        GPLv2+
 URL:            http://netfilter.org
 Source0:        http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2
 
+Patch01:        0001-conntrack-don-t-cancel-nest-on-unknown-layer-4-proto.patch
+
 BuildRequires:  gcc
 BuildRequires:  kernel-headers
 BuildRequires:  libmnl-devel >= 1.0.3
@@ -51,6 +53,9 @@ find $RPM_BUILD_ROOT -type f -name "*.la" -delete
 %{_includedir}/libnetfilter_conntrack/*.h
 
 %changelog
+* Wed Dec 07 2022 Phil Sutter <psutter@redhat.com> - 1.0.8-5
+- conntrack: don't cancel nest on unknown layer 4 protocols
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.8-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688