Andrei POPESCU wrote: > On Ma, 14 iul 20, 07:11:39, Dan Ritter wrote: > > The way to handle a giant blocklist efficiently is ipset, which manipulates > > large groups of IPs that will be matched for a particular rule. > > Disclaimer: I'm not an expert on either iptables or nftables, this is > just based on some documentation I read. > > As far as I understand, while iptables (in buster) is indeed a frontend > to nftables, nftables has new features that are not usable with iptables > syntax. > https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
> In particular regarding ipset, this page suggests manual translation is > necessary: > > https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables You are correct in all regards, but you are also not taking the next, necessary step. A firewall which is currently using iptables can be rewritten to use iptables and ipset; or it can be rewritten to use nftables with ipset. In either case, ipset is the correct tool, it just changes syntax in between versions, so to avoid duplicating effort, one might prefer to make one conversion rather than two. -dsr-