I read from various sources that the problem with adding overlapping IP ranges to a nftables set lead to the lack of support for IP range remediation by nftables firewall bouncer.
I am now investigating workarounds to enable IP range remediation by nftables bouncer.
One workaround is by having two blacklist sets, one for single IPs and the other for 27 bit CIDR ranges (blocks of 32 IPs) which are technically non overlapping. The bit mask can vary per deployment but must always remain the same for all detection scenarios to guarantee non overlappingness. This solutuon can be expanded into supporting multiple blacklist sets, one for every arbitrary bitmask from 8 to 31 and let the bouncer decide which set to add to, eliminating the possibility of overlap.
The question is how to configure the nftables bouncer to achieve this? Does it support per scope or per scenario sets? From what I see it currently only supports one set for ipv4 and one for ipv6. Can someone please put me on the right track?