enforce strong host model via nftables

nftables-attestation.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }

nftables-discuss.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }

nftables-mail.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 25, 80, 443, 465, 993} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }

nftables-matrix.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }

nftables-network.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443, 7275} notrack accept
         udp dport 123 notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept

nftables-ns1.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         udp dport 53 notrack accept
         tcp dport {22, 53, 80, 443, 853} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept

nftables-ns2.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         udp dport 53 notrack accept
         tcp dport {22, 53, 80, 443, 853} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept

nftables-social.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }

nftables-web.conf

@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }