#! nft -f add table ip filter add chain ip filter output { type filter hook output priority 0 ; } # meta: skb len add rule ip filter output meta length 1000 counter # meta: skb protocol add rule ip filter output meta protocol 0x0800 counter # meta: skb mark add rule ip filter output meta mark 0 counter # meta: skb iif add rule ip filter output meta iif lo counter # meta: skb iifname add rule ip filter output meta iifname "eth0" counter # meta: skb oif add rule ip filter output meta oif lo counter # meta: skb oifname add rule ip filter output meta oifname "eth0" counter # meta: skb sk uid add rule ip filter output meta skuid 1000 counter # meta: skb sk gid add rule ip filter output meta skgid 1000 counter # meta: nftrace add rule ip filter output meta nftrace 1 counter # meta: rtclassid (see /etc/iproute2/rt_realms) add rule ip filter output meta rtclassid cosmos counter # meta: secmark add rule ip filter output meta secmark 0 counter