Am 12.11.24 um 19:24 schrieb Pablo Neira Ayuso:
Because there is currently no support for connection tracking at ingress.
O.k., I guess this is probably obvious to people more familiar with the kernel's netfilter subsystem. For the benefit of all others, it might be desirable to have it documented somewhere in the nft man page (or did I just miss it?).
So, does this mean that I cannot use conntrack state in netdev tables, since these only allow for the filter/ingress combo? What I wanted to achieve was to create a firewall that just protects one particular interface, the one connected to the internet at large. Netdev seemed like the way to go.