Added ipset-persistent compatibility

[PaulGuijt]

With ipset-persistent, part of netfilter-persistent, the ipset is loaded earlier in the startup proces.
The script in /etc/network/if-up.d can be removed.

[slynobody]

how will a good use-case might look like to migrate the solution to nftables?

[ann0see]

Probably? Didn’t Debian move to nftables? At least the script doesn’t work for me on Debian 11…
Another question: is there any activity on another fork? This repo seems dead. (At least there are some open PRs)

[joe-at-startupmedia]

I'd recommend opening up a new issue for this as nftable compatibility doesn't quite pertain to ipset-persistent compatibility. [Edit: it appears issues have been disabled on this repo]

In any case, ipset and family has been deprecated on several distros including RHEL9.
https://access.redhat.com/solutions/6739041

iptables has been deprecated in Debian 10:
"NOTE: Debian 10 Buster and later use the nftables framework by default. [...] nftables is the default and recommended firewalling framework in Debian, and it replaces the old iptables (and related) tools."
https://wiki.debian.org/nftables

Alternatively since ipset version 7.12 you can use the ipset-translate utility which allows you to translate your existing ipset file to nftables.
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210601113152.20761-1-pablo@netfilter.org/

[leshniak]

I've made an nftables version, if someone wants it - https://github.com/leshniak/nft-blacklist

[ann0see]

Great! Thanks.