On Tue, 12 Nov 2024, at 2:55 PM, Thomas Koeller wrote: > Hi, > > migrating my existing firewall setup from iptables + ipset to nftables, > I ran into a problem. > > The firewall uses an ipset containing ipv4 source addresses to > implement a dynamic blacklist. There are multiple rules that use this > ipset, and these rules are in chains that belong to different tables. > This doesn't seem to be possible with nftables sets, that > apparently always have to belong to one and only one table, is this > correct? At least I couldn't figure out how to create a set that > is accessible throughout the entire ruleset. Yes. Rules may only reference a named set from the enclosing table. https://bugzilla.netfilter.org/show_bug.cgi?id=1472 -- Kerin Millar
