I'm having a lot of trouble wrapping my head around how I can use nftables instead of ipset, I have read https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Some_ipset_types, but I don't want to match a single ip I want to be able to match an entire subnet, against a set of networks. For example, in ipset terms: ipset create <myset> hash:net but I want to do this for a set of networks. Basically I want to define a set with multiple networks: 'define block_set = { <ip>/<mask> }' And match these networks against my rule. I'm having trouble understanding how to create a rule that drops any network in the set. Could someone point me in the right direction? -- John Ramsden
