I think you need something like this: > nft add rule x prerouting fib daddr . iif type local accept Also, in the wiki I see following information: > General syntax is: fib key data operator expression, where: > > key: saddr, daddr, mark, iif, oif (use '.' for concatenations to represent tuples) > data: oif, oifname, (address) type > operator: eq, neq, vmap, map Thus you may try something like this: > nft add rule x prerouting fib daddr . iif oifname wan accept I am currently away from PC and could not verify how it actually behaves but you can try and experiment with different parameters on your own. 2023-04-28T07:55:25Z Glen Huang <heyhgl@xxxxxxxxx>: > Thanks for the quickly reply. > > Maybe I missed something, but it seems both nexthop and fib can only filter packets that go out of a certain interface, but not ones that have wan IP as the destination? > >> On Apr 28, 2023, at 3:22 PM, seentr@xxxxxxxxxxxx wrote: >> >> Have you tried this: https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information ? >> >> 2023-04-28T03:59:07Z Glen Huang <heyhgl@xxxxxxxxx>: >> >>> Hi, >>> >>> I use tproxy to redirect all traffic from the lan interface, but I want to exemplify traffic whose destination IP belongs to the wan interface. I wonder if it’s possible to specify if ip daddr matches the wan interface IP in the prerouting chain? >>> >>> The only solution I can think of right now, is to create a set, and manually update the set with wan IPs (also whenever they change), which is very cumbersome. >>> >>> I wonder if there is a direct way to that in nft? >>> >>> I use nft1.0.7 with kernel 5.15.108
