Hi. There is a patch for netfilter that includes a “raw” chain that is processed before PREROUTING. The two purposes are doing things before CONNTRACK and be selective about what would be tracked.
Is there somewhat similar in Mikrotik ? It’s much better to do incoming filtering on that chain, because dropped packets never make to the connection table, protecting it from being flooded by an evil-doer.
The other good thing is the -NOTRACK target, so one can turn off connection tracking for some traffic, not a 0/100% choice of tracking all the traffic or not tracking at all.
I noticed on the “packet flow” diagram that “hotspot input” goes before conntrack; is there a way to include generic rules there ?