On 4/28/23 11:59, Glen Huang wrote:
nft add rule x prerouting fib daddr . iif type local accept
“local" is very close to what I’m after, but from my test, it doesn’t match. The linked wiki seems to suggest that “local” means the same interface a packet originates from?
I wonder if there is an address type that denotes any IP that is hosted on local interfaces.
I am using the following ruleset to bypass nf_conntrack for traffic
which neither originating from local IP nor destined to a locally
configured IP addresses:
table inet nftables_svc {
chain untrack_in {
type filter hook prerouting priority raw - 10; policy accept;
fib daddr . iif type != local notrack
}
chain untrack_out {
type filter hook output priority raw + 10; policy accept;
fib saddr . oif type != local notrack
}
}
Basically, what it does is lookup at "local" routing table - you may
inspect it yourself using this command:
ip route list table local
