Would there ever be a reason to use “connection-state=new” below the line “action=drop connection-state=invalid” ?
For example, if at the top of my forward rules I say:
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop connection-state=invalid
Is it not the case that the only connection state remaining is “new”?
Am I correct is saying that there is no point in using “connection-state=new” from here on?
There’s also relatively new state “untracked”. It’s meant for packets you want to get through router without connection tracking. The usual way to deal with them is to accept untracked together with established and related, and it’s safe, because packets don’t become untracked unless you tell them to be. And then yes, “new” will be all that’s left for following rules.