It seems that Tumbleweed does not default to nftables. alexandre@localhost:~> sudo iptables -V iptables v1.8.10 (legacy) podman/netavark has some magic to discover which firewall is being used if not set in the config. It possibly defaults to iptables because the system is still on legacy, iptables-backend-nft should fix that system-wide.