On Wed, Sep 03, 2025 at 12:13:38PM +0200, Florian Westphal wrote: [...] > You could submit a patch for nftables userspace to no longer > emit NFT_CT_SRC/DST, I think there is no need to support kernels < 4.17 > anymore. Yes. Better to fix this from userspace. linux-stable-5.4$ git grep NFT_CT_DST_IP include/ include/uapi/linux/netfilter/nf_tables.h: * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) include/uapi/linux/netfilter/nf_tables.h: * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) include/uapi/linux/netfilter/nf_tables.h: NFT_CT_DST_IP, include/uapi/linux/netfilter/nf_tables.h: NFT_CT_DST_IP6,
