nftables: explain synproxy untracked/invalid cases

nftables-attestation.conf

@@ -57,6 +57,8 @@ table inet filter {
 
         iif lo goto input-loopback
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-discuss.conf

@@ -57,6 +57,8 @@ table inet filter {
 
         iif lo goto input-loopback
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-mail.conf

@@ -57,6 +57,8 @@ table inet filter {
 
         iif lo goto input-loopback
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-matrix.conf

@@ -57,6 +57,8 @@ table inet filter {
 
         iif lo goto input-loopback
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-network.conf

@@ -61,6 +61,8 @@ table inet filter {
         iif lo goto input-loopback
         udp dport 123 accept
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-ns1.conf

@@ -60,6 +60,8 @@ table inet filter {
         iif lo goto input-loopback
         udp dport 53 accept
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-ns2.conf

@@ -65,6 +65,8 @@ table inet filter {
         iif lo goto input-loopback
         udp dport 53 accept
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-social.conf

@@ -57,6 +57,8 @@ table inet filter {
 
         iif lo goto input-loopback
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset

nftables-web.conf

@@ -61,6 +61,8 @@ table inet filter {
 
         iif lo goto input-loopback
         meta l4proto { icmp, ipv6-icmp } accept
+
+        # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
         ct state vmap { new : goto input-new, established : goto input-established, related : accept }
 
         tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset