The return of nftables

Not quite. This doesn't depend on any code other than ipset and iptables. The list of IP addresses/ranges to block is in the file "ip-list". In the command

> xargs -i ipset add peerguard {} < ip-list

the "{}" is an argument to "xargs -i" which serves as a placeholder. The xargs tool (with the "-i" option) runs the given command once for each line in the standard input (here redirected from the file ip-list), replacing any occurrences of "{}" with the data from the input. This is equivalent to a series of commands like:

> ipset add peerguard 12.23.34.45
> ipset add peerguard 21.32.43.54

The ipset tool adds each IP address to the IP set named "peerguard", which was created in the previous "ipset create" command as a hash-based set of IP addresses, and referenced with the "-m ipset --match-set peerguard src" option to iptables to search the set for the source IP address of the packet.

You'll probably want to change the "-j DROP" in my example to "-j REJECT", to match your previous rules. I wasn't sure which approach Peerguardian took. Also, if you have a large number of address ranges, like the /24 in your example, you may want to use "hash:net" rather than "hash:ip" when creating the IP set so that the ranges are stored more efficiently in the kernel. You can pass ranges to "ipset add" either way, but in the "hash:ip" case they're expanded to individual addresses in the table, whereas "hash:net" keeps separate tables for each prefix length and stores only the network address.

See also:
* http://ipset.netfilter.org/
* http://ipset.netfilter.org/ipset.man.html
* http://ipset.netfilter.org/iptables-extensions.man.html