On Debian bookworm I run successfully nftables from file /etc/nftables.conf. Its skeleton basically looks like:
#!/sbin/nft -f
flush ruleset
counter CNT_WHITE_LISTED_COUNTRIES{}
counter CNT_BLACK_LISTED_COUNTRIES{}
table inet filter {
set countries-allowed {
type ipv4_addr; flag interval; policy performance;
}
chain input {
}
chain forward {
}
chain output {
}
}
I want to deploy an ipset for some user-defined countries (whitelist of countries) and to integrate the ipset into file /etc/nftables.conf (NFT rule such that all IPv4 addresses are automatically be accepted. Furthermore there should be another rule with drops and counts all packets which are not originated from the white-listed countries. Please note that this main configuration file should be the NFT only configuration file in order to keep the firwall setup as simple as possible.
Despite visiting https://wiki.nftables.org/wiki-nftables I don't know how to refer to set "countries-allowed" with chain "input" and set up the two rules.
Please note that "systemctl restart nftables" is executed successfully (i..e. no error messages).
Could somebody point me to the solution, please?
I deployed various combinations of rules in chain "input" by referring to set "countries-allowed", but none was successful.
For similar setup I use two named sets for each country (with country code abbreviation and v6 or v4). So my setup is similar to: