Try this
#!/bin/bash
countryList="ch de gb nz"
firewallSetName=countries-allowed
zonefiles="/config/zonefiles"
logLocation="/var/log/countries-allowed.log"
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0\; }
nft add set inet filter $firewallSetName { type ipv4_addr\; }
function loadcountry () {
firewallSetName=$1
country=$2
echo "Downloading country definition for $country..." >> $logLocation
curl -o $zonefiles/${country}.zone http://www.ipdeny.com/ipblocks/data/countries/${country}.zone -q
echo "Adding proper formating to $country zone file" >> $logLocation
sed -i -e "s/^/add element inet filter $firewallSetName {/" -e "s/$/}/" $zonefiles/${country}.zone
echo "Loading IPs from $country into $firewallSetName set" >> $logLocation
nft -f $zonefiles/${country}.zone
}
nft flush set inet filter $firewallSetName
for country in $countryList; do
loadcountry $firewallSetName $country
done
nft list set inet filter $firewallSetName
Also remember that nftables does not automatically create rules that use the sets, so you need to manually create rules that use your new set. For example, to drop all packets not coming from one of the countries in your list, you would add a rule like:
nft add rule inet filter input ip saddr @countries-allowed accept
nft add rule inet filter input drop
Edit: here old link