creating NOTRACK firewall rules are bogus

[ErwanMAS]

In my case , i want to remove connection tracking on DNS on my local network only .

I added 2 rules

extract of /etc/config/firewall

# rule A
config rule
	option name 'dont track DNS queries'
	option src 'lan'
	option dest_port '53'
	option target 'NOTRACK'
# rule B
config rule
	option name 'dont track DNS queries'
	option src_port '53'
	option dest 'lan'
	option target 'NOTRACK'

1. rule A is too wide , because capture packet in forward mode

current nft ruleset

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifname "br-lan" jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"
	}

	chain notrack_lan {
		tcp dport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
		udp dport 53 counter packets 1298 bytes 91957 notrack comment "!fw4: dont track DNS queries"
	}

the rule in raw_prerouting must be something like this

      iifname "br-lan" fib daddr . iif type local  jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"

2. rule B does not generate nft rule

so firewall4 must generate a block like this

	chain raw_output {
		type filter hook output priority raw; policy accept;
		oifname "br-lan" jump notrack_output_lan comment "!fw4: Handle lan IPv4/IPv6 notrack output traffic"
	}
	chain notrack_output_lan {
		tcp sport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
		udp sport 53 counter packets 921 bytes 73525 notrack comment "!fw4: dont track DNS queries"
	}

[brada4]

Rule 1 is correctly generated. There is no raw/forward, it acts on any packet reaching the network card (after flowtable offload which is at even lower level)
You can set one bit in mark then extract it in following rule

or better you can put your fragments renamed from generated names in /etc/nftables.d/???.nft (see fw4 print for re-usable zone name variables)