nftables.conf with set and rules

Question

On Debian bookworm I run successfully nftables from file /etc/nftables.conf. Its skeleton basically looks like:

#!/sbin/nft -f
flush ruleset
counter CNT_WHITE_LISTED_COUNTRIES{}
counter CNT_BLACK_LISTED_COUNTRIES{}
table inet filter {
    set countries-allowed {
        type ipv4_addr; flag interval; policy performance;
    }

    chain input {
    }

    chain forward {
    }

    chain output {
    }
}

I want to deploy an ipset for some user-defined countries (whitelist of countries) and to integrate the ipset into file /etc/nftables.conf (NFT rule such that all IPv4 addresses are automatically be accepted. Furthermore there should be another rule with drops and counts all packets which are not originated from the white-listed countries. Please note that this main configuration file should be the NFT only configuration file in order to keep the firwall setup as simple as possible.

Despite visiting https://wiki.nftables.org/wiki-nftables I don't know how to refer to set "countries-allowed" with chain "input" and set up the two rules.

Please note that "systemctl restart nftables" is executed successfully (i..e. no error messages).

Could somebody point me to the solution, please?

I deployed various combinations of rules in chain "input" by referring to set "countries-allowed", but none was successful.

Answer 1

For similar setup I use two named sets for each country (with country code abbreviation and v6 or v4). So my setup is similar to:

#!/sbin/nft -f
flush ruleset
table inet filter {
    set admins {
        type ipv4_addr; flags interval; policy performance;
        # replace the following addresses with admin addresses that bypass the country filter
        elements = { 127.1.1.1 comment "admin-ip1", 127.1.1.2 comment "admin-ip2" }
    }
    set ssh_clients {
        type ipv4_addr; flags interval; policy performance;
    }
    set country-AA-v4 {
        type ipv4_addr; flags interval; policy performance;
    }
    set country-AA-v6 {
        type ipv6_addr; flags interval; policy performance;
    }
    set country-ZZ-v4 {
        type ipv4_addr; flags interval; policy performance;
    }
    set country-ZZ-v6 {
        type ipv6_addr; flags interval; policy performance;
    }

    chain countryfiter {
        ip saddr @country-ZZ-v4 counter return comment "use return instead of accept to allow further filtering in the input chain"
        ip6 saddr @country-ZZ-v6 counter return
        ip saddr @country-AA-v4 counter return
        ip6 saddr @country-AA-v6 counter return
        counter drop
    }

    chain input {
        # Pay attention - the policy is set to drop packets that 
        # do not have a accept rule
        type filter hook input priority filter; policy drop;
        ct state established,related counter accept
        ip saddr @admins counter accept
        ip saddr !=@admins counter jump countryfiter
        #additional rules here
        tcp dport 443 counter accept
        ip saddr @ssh_clients tcp dport 22 counter accept
        ct state new limit rate 1/minute counter log prefix "[nft DROP] " comment "rate limited logging of dropped packets"
        counter drop
    }

    chain forward {
    }

    chain output {
    }
}