Openwrt 22.xx and 23.xx with GEOIP firewall rules

Hi guys

I'm running openwrt 21.02.5 on X86 hardware and some of my firewall rules use GEOIP extra arguments like : -m geoip --src-cc <country_code> .
I've seen that iptables in recent openwrt have been replaced by nftables, hence I would like to know, how to convert thoses rules (geoip) to be compatible with nftable. Is it even possible ?

(no personal experience)

But I have recently seen, there is a package with a translate command, maybe give it a try.

Use banIP, it supports GeoIP and works with nftables just fine:

I'm also wanting a an answer to this

thanks for the tip but I want geoip only for some very specifics rules (for example, one rule is linked to port, protocol, time restriction), not globally. With iptables, it's just as simple as adding the extra argument in the firewall rule, but now with thoses nftables, I can't do it anymore.

1 Like

Make your rules to match an IP set populated with GeoIP data.
Here's an automated script creating and populating IP sets:


thanks vgaetera
this works for me :slight_smile:
made an ipset for my country AU
add the ipset in the firewall rule
seems to work fine for ipv4 port forward allow AU only :slight_smile:

1 Like

thanks now that works for me as well. I've just changed the path in the to save the ipset files elsewhere and run the script less often than each time the net is online, which btw, doesn't work with the hotplug stuff (the script /etc/hotplug.d/online/70-ipset-setup isn't triggered at all) online doesn't appear to be a valid directory according to

1 Like

It needs Hotplug extras to trigger at startup when the network is online:
I split it to a separate plugin as a common dependency for several scripts.

ah ok, thanks you again, I'll keep it my way, it better fit my requirements.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.