I get the (vague?) impression that you think I like writing poetry and only by insinuation providing solutions. You are probably right. I think understanding matters more than the exact sequence of commands. In things that count, e.g. in security, I strive to be exceptionally clear.
The exact command I suggest is
:foreach i in=[ find where connection-mark=renat ] do={ :onerror e in={ remove $i} do={} }
@anserk pointed out that there’s a simpler form:
foreach i in= [ find where connection-mark=renat ] do= { remove $i } on-error= { }
I haven’t tested @anserk’s answer, but I have no reason to doubt it. It makes sense for all “do=” constructs to accept an “on-error”, but on a cursory look, I couldn’t find any documentation to this effect. This would of course not be the first undocumented thing, and again: it makes sense.
@anserk: I was going to chime with the exact thing: for nuking all entries, disabling/re-enabling conntrack is an option. I would only do this as a last resort - it results in some nasty things, but it does accomplish what it’s supposed to in the least amount of time.