I recently switched to nftables on Linux and the syntax is great, you should give it a go.
I wrote a blog post demonstrating my server configuration.
Shameless plug: https://stosb.com/blog/explaining-my-configs-nftables/
Does nftables support packet tagging/policy filtering ala pf's "tag" keyword [1]? It's so nice to tag a packet as "trusted" once it has passed an input filter, and then just pass trusted packets on outbound interfaces based solely on the tag.
For example, on my OpenBSD firewall I can write the following simple rules to restrict outbound Internet access to a specific set of IP addresses or networks:
# internal_if is the LAN-facing interface; isp_if is the ISP-facing interface, i.e., the Internet.
match in log on internal_if from <internet_allowed_networks> tag OUTBOUND
pass in log quick on internal_if tagged OUTBOUND
...
pass out log on isp_if inet tagged OUTBOUND nat-to (isp_if) static-port
The tags are sticky, so that you can apply multiple tags to packets and sort through the tags later in the pipeline.
If nftables supports something like this, I'll probably make the switch, as I prefer Linux in every other way to OpenBSD.
I'm not familiar with the pf "tag", and I gtg so I don't have time to read more, but it seems very similar to "mark"[1].
It essentially lets you mark a packet with a tag (if memory serves it's a 32 bitmap you can do whatever bitwise/assignment operations to). I used it in the beginning, but then I managed to find cleaner ways to do what I was doing.
For me nftables changed the game for linux firewalls. From the almost incomprehensible mess that was iptables we now have a clean language that lets me be quite DRY, and is easy to work with.
nftables "mark" would behave like pf "tag" if you can filter a packet further downstream based on the value of the mark. (It looks like the mark functionality is also present in iptables.)
If people are using marks for policy-based firewalls a la tag in pf, it doesn't look like a particularly common practice, based on a quick Google search. Anyway, it's a start. Thanks for the pointer.
There's a page somewhere on the nftables wiki that shows all the operations you can do, but you essentially can bitmask and compare, or just compare and do something based on the result of that conditional, so I guess exactly what you want.
