Suricata

When using suricata with any uid/gid specified and nfq mode, the following code is run. As a result, NET_RAW capability is dropped.
https://github.com/OISF/suricata/blob/fa2b46cdc3f539a31e917c3b63ede70309bcc0b0/src/util-privs.c#L78

However, when a reject rule is executed, libnet_init gets called via below code path and fails the worker thread.
https://github.com/OISF/suricata/blob/ac491c6e8daf9a982e4ff6de743de916646a4b16/src/respond-reject-libnet11.c#L109

Please add NET_RAW to the capabilities for NFQ mode as well if libnet is to be used.

Log snippet:
2020-08-10T14:14:22.841972792Z [112] 10/8/2020 -- 14:14:22 - (respond-reject-libnet11.c:101) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_init failed: libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted
2020-08-10T14:14:22.841979391Z
2020-08-10T14:14:22.841983169Z [109] 10/8/2020 -- 14:14:22 - (tm-threads.c:2087) <Error> (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W-NFQ#0 failed