PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to nftables, these names currently don't resolve in the policy code.
Here's an example for a network-group:
set firewall group network-group RFC1918 network '192.168.0.0/16' set firewall group network-group RFC1918 network '10.0.0.0/8' set firewall group network-group RFC1918 network '172.16.0.0/12' set policy route BEAR rule 1 destination group network-group RFC1918 commit
this fails with
[ policy route BEAR ] Failed to apply policy based routing [[policy route BEAR]] failed Commit failed
Running nft -c -f /run/nftables_policy.conf reveals that the named network group RFC1918 (which is defined as a variable in /run/nftables.conf) is not known:
/run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918' ip daddr $N_RFC1918 counter return comment "BEAR-1" ^^^^^^^^^
I am uncertain whether moving all the define stuff from nftables.conf into a separate file and then including it in nftables*.conf would work, but theoretically, it should, e.g. with something like this:
#!/usr/sbin/nft -f # include a single file using an absolute path include "/run/nftables_defines.conf"