Use case: I have a home router using iptables today. I'm researching converting over to nftables, as it looks to be much more manageable for a lot of rules.

One thing I have setup today under iptables is a 'country-block' ipset which contains country CIDR blocks that covers the majority of random port probe/hack attempts. Unfortunately nftables can't use my existing ipsets directly, but it was fairly straightforward to convert it to an nftables ip set.

Problem: To avoid having one single massive nftables file, I chose to separate my 'country-block' set into a separate file. nftables makes it easy to include other files, so this seems to be well within the intended behavior for nftables. I've defined my country-block as so:

table ip country-block { set country-block { type ipv4_addr; flags interval; elements = { /* CIDR blocks here */ } } } 

This loads fine. Now I want to use it in my firewall filters. I have a table defined in my main config file 'table inet filter'. Here I want to add the rule:

ip saddr @country-block drop 

Following all my google searching for answers, this is the only way I've found for referencing ip sets. Unfortunately, this throws the error:

Error: Could not process rule: Set 'country-block' does not exist 

I tried referencing "country-block@country-block" hoping it might resolve to the country-block namespace I created, but that doesn't work:

Error: syntax error, unexpected drop ip saddr country-block@country-block drop ^^^^ 

Does anyone know of a way to reference a set that is in a different table? I'd hate to have to collapse all of my sets into my single 'filter' table and maintain them all in a single file - what an ugly mess that would be.

ps. I tried to tag this 'nftables', but apparently it's a new tag and I don't have the rep required to create a new tag. Can some kind person with the required rep please tag this appropriately?