1iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT 2nft add rule ip filter INPUT ct mark 0x2 counter accept 3 4iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT 5nft add rule ip filter INPUT ct mark != 0x2 counter accept 6 7iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT 8nft add rule ip filter INPUT ct mark and 0xa == 0xa counter accept 9 10iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT 11nft add rule ip filter INPUT ct mark and 0xa != 0xa counter accept 12 13iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m connmark --mark 0x40 14nft add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter 15