Thanks for the detailed example. > nft add rule x prerouting fib daddr . iif type local accept “local" is very close to what I’m after, but from my test, it doesn’t match. The linked wiki seems to suggest that “local” means the same interface a packet originates from? I wonder if there is an address type that denotes any IP that is hosted on local interfaces. > nft add rule x prerouting fib daddr . iif oifname wan accept This seems to also match packets that forward to wan, not just destine to wan. > On Apr 28, 2023, at 4:03 PM, seentr@xxxxxxxxxxxx wrote: > > I think you need something like this: >> nft add rule x prerouting fib daddr . iif type local accept > > Also, in the wiki I see following information: >> General syntax is: fib key data operator expression, where: >> >> key: saddr, daddr, mark, iif, oif (use '.' for concatenations to represent tuples) >> data: oif, oifname, (address) type >> operator: eq, neq, vmap, map > > Thus you may try something like this: >> nft add rule x prerouting fib daddr . iif oifname wan accept > > I am currently away from PC and could not verify how it actually behaves but you can try and experiment with different parameters on your own. > > 2023-04-28T07:55:25Z Glen Huang <heyhgl@xxxxxxxxx>: > >> Thanks for the quickly reply. >> >> Maybe I missed something, but it seems both nexthop and fib can only filter packets that go out of a certain interface, but not ones that have wan IP as the destination? >> >>> On Apr 28, 2023, at 3:22 PM, seentr@xxxxxxxxxxxx wrote: >>> >>> Have you tried this: https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information ? >>> >>> 2023-04-28T03:59:07Z Glen Huang <heyhgl@xxxxxxxxx>: >>> >>>> Hi, >>>> >>>> I use tproxy to redirect all traffic from the lan interface, but I want to exemplify traffic whose destination IP belongs to the wan interface. I wonder if it’s possible to specify if ip daddr matches the wan interface IP in the prerouting chain? >>>> >>>> The only solution I can think of right now, is to create a set, and manually update the set with wan IPs (also whenever they change), which is very cumbersome. >>>> >>>> I wonder if there is a direct way to that in nft? >>>> >>>> I use nft1.0.7 with kernel 5.15.108
