Matching routing information
Starting with linux 4.10 and nftables v0.7, there are new mechanisms to match several routing information related to packets and the firewall machine.
nexthop
The directly connected IP address that an outgoing packet is sent to, which can be used either for matching or accounting, eg:
nft add rule filter postrouting ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop
This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1.
nft add rule filter postrouting flow table acct { rt nexthop timeout 600s counter }
nft add rule ip6 filter postrouting flow table acct { rt nexthop timeout 600s counter }
These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic is seen for this nexthop within 10 minutes.
fib
The fib statement can be used to obtain the output interface from the route table based on either source or destination address of a packet.
This can be used to e.g. add reverse path filtering, or eg. drop if not coming from the same interface packet arrived on:
nft add rule x prerouting fib saddr . iif oif eq 0 drop
Accept only if from eth:
nft add rule x prerouting fib saddr . iif oif eq "eth0" accept
Accept if from any valid interface:
nft add rule x prerouting fib saddr oif accept
Querying of address type is also supported, this can be used to only accept packets to addresses configured in the same interface, eg:
nft add rule x prerouting fib daddr . iif type local accept
Its also possible to use mark and verdict map, eg:
nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap {
blackhole : drop,
prohibit : drop,
unicast : accept
}