I do have an external ssh port forwarded to the router local address port 22, which is why the DNAT rule exists on the input table. The forwarding table also has the DNAT rule for forwarding to other machines on the network.
I did verify that, on the older version, if I disable the DNAT rule in the input filter then I can’t ssh into my router externally.
Looking at the nft output, the only difference I saw between the two was in the DNAT rule syntax…
The old syntax (both input and forward chains):
ct state new ct status dnat counter packets 0 bytes 0 accept comment “ipv4-INP-filter-10”
ct state new ct status dnat counter packets 2 bytes 104 accept comment “ipv4-FWD-filter-10”
the new syntax (both input and forward chains):
ct state new ct status == dnat counter packets 0 bytes 0 accept comment “ipv4-INP-filter-10”
ct state new ct status == dnat counter packets 0 bytes 0 accept comment “ipv4-FWD-filter-10”
I’m not sure if the added “==” changes anything, it was just something I noticed.