RE: Creating named set

[<paul.guijt@gmail.com>]

Thanks. 

This morning I had a brainwave, and inserted it into /etc/nftables.conf:

> #!/usr/sbin/nft -f
> flush ruleset
>
> table inet filter {
>
>         set blocklist { type inet_proto ; flags timeout ; }
>
>         chain input {
>                 type filter hook input priority 0;      policy drop;
 >        }
>         chain forward {
>                 type filter hook forward priority 0;    policy drop;
>         }
>         chain output {
>                 type filter hook output priority 0;     policy accept;
>         }
>
> }
>
> include "/etc/nftables/include/*.nft"

Nft accepted it. 

Best wishes, stay safe,
Paul

-----Original Message-----
From: Florian Westphal <fw@strlen.de> 
Sent: Saturday, March 27, 2021 12:32 AM
To: paul.guijt@gmail.com
Cc: netfilter@vger.kernel.org
Subject: Re: Creating named set

paul.guijt@gmail.com <paul.guijt@gmail.com> wrote:
> Hi all,
> On Raspbian I tried:
> 	sudo nft add set inet filter blocklist { type inet_proto \; flags timeout \; }
> 	Error: Could not process rule: No such file or directory
> 	add set inet filter blocklist { type inet_proto ; flags timeout ; }
 	             ^^^^^^
> I have tried all sorts of syntax, but every time that error comes up. Even with “% nft add set ip filter blackhole { type ipv4_addr\;}” from the wiki. 
> I have an inet table, and in it I want to drop anything coming from @blocklist. Can anyone please hand me the correct syntax, either for command line (sudo nft …) or for a rules file? 

This syntax is fine.  The error comes from the kernel.
Either no 'inet filter' table exists, or your kernel lacks set functionality.