I want to create an nftables filter rule that drops traffic where the source and destination address are equal. Nftables only allows to compare addresses against constants or sets/maps. So I tried to add the destination address to a map and then compare the source address against the map.
I tried:
table inet my_table {
map srcdest { type ipv4_addr: ipv4_addr; }
chain my_chain {
meta nfproto ipv4 update @srcdest { ip saddr : ip daddr }
meta nfproto ipv4 ip saddr ip saddr map @srcdest drop
}
}
but get a syntax error, unexpected drop at the drop in the last line.
I was expecting that
ip saddr map @srcdest
would perform a lookup of the source address in the map and return the destination address, so the line would translate to something like:
meta nfproto ipv4 ip saddr 192.168.1.1 drop
