nftables: add invalid case to ct state vmap

This might as well be dropped by the verdict map instead of falling
through to the default drop policy.

nftables/nftables-attestation.conf

@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-discuss.conf

@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-mail.conf

@@ -59,7 +59,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-matrix.conf

@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-network.conf

@@ -56,7 +56,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-ns1.conf

@@ -49,7 +49,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-ns2.conf

@@ -61,7 +61,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-social.conf

@@ -47,7 +47,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {

nftables/nftables-web.conf

@@ -57,7 +57,7 @@ table inet filter {
         policy drop
 
         tcp dport { 22, 80, 443 } goto input-tcp-service
-        ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
+        ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
     }
 
     chain input-tcp-service {