In the example IPv4 nft.conf file....

The "table netdev filter" uses the set @geo-netdev4
and the rule explictly drops packets in that set.
ip saddr @geo-netdev4 counter drop comment "Drop source addresses in set geo-netdev4"

In the next section, the "table inet filter" creates the set @geo-inet4 and the comment infers the same type of filter behavior.

We can do geolocation packet filtering in this table too.

Define empty set to store IPv4 country code specific address ranges.

set geo-inet4 {
type ipv4_addr
flags interval
# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
}

But there is no saddr filtering on the set @geo-inet4.

The @geo-inet4 set is used later for daddr filtering.

I don't know if the intent was to do saddr filtering in the "table inet filter" or not, but the comment should be a little clearer if you are only going to use it for daddr.

The same logic looks like it is in the IP4, IP6 and combined examples.

refill-sets.conf is missing after running the script on Ubuntu 22.04

If I create it manually the .nft is not being created.

If I set refill reload it is looking for it in the wrong place(?) /etc/nftables/geo-nft//etc/nftables/geo-nft/
(according to the error it printed)

I was just trying out the script without sudo of course by modifying the variables:
geo_conf, errorlog, base_dir

but even if /etc would not be used in this scenario the script still checks for it here:
https://github.com/wirefalls/geo-nft/blob/main/geo-nft.sh#L1056

Thanks heaps for this project, it's awesome.

I'm using netdev for inbound country blocks only. I'm noticing more and more that my systems want to connect to a country I'm banning, and so when the initial reply comes back, it's blocked at the netdev family. Of course, netdev doesn't know ct state so... is the only option to give up netdev and move inbound blocks to inet?

I don't understand how to create additional sets in the
refill-sets.conf

include "/etc/nftables/geo-nft/countrysets/*"
define-ipv4 inet filter geo-inet4 AD
define-ipv6 inet filter geo-inet6 AQ
define-ipv4 inet filter geo-channel4 AD
define-ipv6 inet filter geo-channel6 AD

I'm trying to create a new set name for my region but when i add the line below I get an error.
define-ipv4 inet filter geo-channel4 AD

Geolocation for nftables v2.2.3

bash version 5.1.4(1)-release

nftables v0.9.8 (E.D.S.)

The latest database csv file already exists locally; using existing file:
/etc/nftables/geo-nft/dbip-country-lite-2021-08.csv

Creating country-specific nftables sets...

Creating a list of all country codes found in the database csv file.

Generating nftables geolocation sets in:
/etc/nftables/geo-nft/countrysets

This may take a moment, please wait...

Some countries may only have IPv4 addresses or IPv6 addresses.

No IPv4 addresses in database for country code BV, skipping...
No IPv4 addresses in database for country code CX, skipping...
No IPv4 addresses in database for country code EH, skipping...
No IPv4 addresses in database for country code HM, skipping...
No IPv4 addresses in database for country code SH, skipping...
No IPv4 addresses in database for country code TF, skipping...
No IPv4 addresses in database for country code UM, skipping...

Country set creation complete...

Checking for settings in /etc/nftables/geo-nft/refill-sets.conf

geo-nft.sh v2.2.3:
        The following 'define-ipv4' line in /etc/nftables/geo-nft/refill-sets.conf
        does not point to a valid nftables set:
        define-ipv4 inet filter geo-channel4 AD

Invalid settings were found in 'refill-sets.conf'.
Automatic generation of /etc/nftables/geo-nft/refill-sets.nft will be skipped.

Your nftables version is at least version 0.9.4, so you
can include all geolocation sets in your configuration file
/etc/nftables/geo-nft/refill-sets.conf with:
include "/etc/nftables/geo-nft/countrysets/*"

Script run time: 17s

Finished!

Many thanks