nftables: explain ordering of strong host model check

nftables-attestation.conf

@@ -40,6 +40,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

nftables-discuss.conf

@@ -40,6 +40,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

nftables-mail.conf

@@ -40,6 +40,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept

nftables-matrix.conf

@@ -40,6 +40,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

nftables-network.conf

@@ -42,6 +42,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept

nftables-ns1.conf

@@ -40,6 +40,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         udp dport 53 notrack accept

nftables-ns2.conf

@@ -42,6 +42,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # reject SSH packets via anycast IP

nftables-social.conf

@@ -40,6 +40,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept

nftables-web.conf

@@ -44,6 +44,8 @@ table inet filter {
         iif lo notrack accept
 
         # drop packets to address not configured on incoming interface (strong host model)
+        #
+        # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept