Convert ipset script to use nft

Try this

#!/bin/bash

countryList="ch de gb nz"
firewallSetName=countries-allowed
zonefiles="/config/zonefiles"
logLocation="/var/log/countries-allowed.log"

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0\; }
nft add set inet filter $firewallSetName { type ipv4_addr\; }

function loadcountry () {
     firewallSetName=$1
     country=$2

     echo "Downloading country definition for $country..." >> $logLocation
     curl -o $zonefiles/${country}.zone http://www.ipdeny.com/ipblocks/data/countries/${country}.zone -q

     echo "Adding proper formating to $country zone file" >> $logLocation
     sed -i -e "s/^/add element inet filter $firewallSetName {/" -e "s/$/}/" $zonefiles/${country}.zone

     echo "Loading IPs from $country into $firewallSetName set" >> $logLocation
     nft -f $zonefiles/${country}.zone
}

nft flush set inet filter $firewallSetName

for country in $countryList; do
     loadcountry $firewallSetName $country
done

nft list set inet filter $firewallSetName

Also remember that nftables does not automatically create rules that use the sets, so you need to manually create rules that use your new set. For example, to drop all packets not coming from one of the countries in your list, you would add a rule like:

nft add rule inet filter input ip saddr @countries-allowed accept
nft add rule inet filter input drop

Edit: here old link