I’ve been using older versions of VyOS for a long time now, and hadn’t extensively used any of the releases that use nftables instead of iptables.
From what I can see, the nft config generator uses nft symbolic variables and substitutes them into the generated nftables.conf as anonymous sets.
I’m experimenting with GeoIP based policies and if VyOS supported named sets (e.g. source group set-group ), it would be easy to populate country-based GeoIP nft sets and refer to them in firewall policy.
Any thoughts on how hard that will be ? I can kind of see how it can be hacked together but just touching base before I do anything …