instructions/guidance for adding a drop everything else

[bmcdonough]

I am new to nftables and stumbled upon the wirefalls/geo-nft.
With enough time/effort I think I can eventually figure this out but...

I had assumed the way this was written you were explicitly accepting specific geos.
What I am learning is, while that is true, there is no drop or reject statement to follow.
I would like to suggest that perhaps the User Guide would offer that instruction.

[bmcdonough]

What specifically worked for me... was to add a country/countries to be dropped.
Google Cloud is charging for egress to China. I am not specifically discriminating but limiting my costs.

$ cat /etc/nftables.conf
#!/usr/bin/nft -f

flush ruleset

# Include all country code set files to make things easier to configure.
# nftables >= v0.9.4 can include all sets with: include "/etc/nftables/geo-nft/countrysets/*"
include "/etc/nftables/geo-nft/include-all.ipv4"
###include "/etc/nftables/geo-nft/include-all.ipv6"

table netdev filter {

  set geo-netdev4 {
    type ipv4_addr
    flags interval
    # Add IPv4 country code elements for the United States.
    elements = { $US.ipv4 }
  }
  set drop-netdev4 {
    type ipv4_addr
    flags interval
    # Add IPv4 country code elements for China.
    elements = { $CN.ipv4 }
  }

#  set geo-netdev6 {
#    type ipv6_addr
#    flags interval
#    # Add IPv6 country code elements for the United States, Great Britain and Antarctica.
#    elements = { $US.ipv6, $GB.ipv6, $AQ.ipv6 }
#  }

  chain ingress {
    # Replace <device_name> below with the name of your WAN network interface from "ifconfig".
    ###type filter hook ingress device <device_name> priority 0; policy accept;
    type filter hook ingress device ens4 priority 0; policy accept;
    # Count IPv4 traffic from the United States and accept.
    ip saddr @geo-netdev4 counter accept
    # Count IPv4 traffic from China and drop it.
    ip saddr @drop-netdev4 counter drop
    # Count IPv6 traffic from the United States, Great Britain and Antarctica.
    ###ip6 saddr @geo-netdev6 counter
  }
}

# Your other ruleset content here...

$ sudo nft list table netdev filter|tail -6
	chain ingress {
		type filter hook ingress device "ens4" priority filter; policy accept;
		ip saddr @geo-netdev4 counter packets 532 bytes 33263 accept
		ip saddr @drop-netdev4 counter packets 27 bytes 2196 drop
	}
}

[wirefalls]

Thanks for the feedback. I'm working on an update to the documentation so I'll add some drop examples and clarification. Glad that you got things working.