On Thu, Sep 16, 2021 at 01:05:03PM +0200, Martin Zatloukal wrote: [...] > root@igw-test:~# cat /etc/firewall/test > > #!/sbin/nft -f > > flush ruleset > > add table ip filter > add chain ip filter FORWARD { type filter hook forward priority 0; policy > drop; } > > add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: > verdict; flags interval; counter; } > add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport > vmap @forwport counter > > add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept } Thanks, this repro is useful. I managed to reproduce it. Fix it here: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210916115838.21724-1-pablo@xxxxxxxxxxxxx/ Thanks for reporting.