Reverse --exeptions how to

[lejurassien]

Hello, first of all I would like to thank you for your great work that really facilitates the management of authorized ip on my website it is a big plus thank you!

I have a question after having set up the script then the service as well as crontab, I put you the command line that I use like that it will be more comprehensible,

0 5 * * 1 /usr/sbin/nft-geo-filter --allow --allow-established --interface ens3 --table-family inet --table-name suisse-filter CH --log-drop --log-drop-prefix GEO-NFT --log-drop-level notice

I only allow Swiss CH ip's to be able to connect but I have a range of Swiss ip's that I would still like to block is there a reverse of --exceptions or a way to add this range 146.4.22.128/26 that is Swiss but I don't want to allow to connect?

I hope I've been clear, I don't speak English and everything is translated
Thanks

[frankofno]

you could add another chain (TOBLERONE or whatever name you like) and put your IP's in there. Just make sure the priority is lower than the one of your country chain.

#!/bin/bash

nft add chain inet filter TOBLERONE { type filter hook input priority -10 \; policy accept\;}

nft add rule inet filter TOBLERONE ip saddr 146.4.22.128/26 drop

[lejurassien]

Of course, nftables is brand new to me and I didn't think about the priority!
Thanks for the help
I really laughed out loud with the TOBLERONE table and will keep the name as a souvenir!
Good luck in the continuation of your project