After analyzing my config, I can now give a full example.
The subnet came from a geoblock list, the separate host came from an
abusers list.
That causes the conflict in Buster (which can be fixed with auto-merge).
And I tried it again on a different Stretch machine, and it indeed works
fine.
(Sorry, I could also have done all this for the first report, I now
realize).
#!/usr/sbin/nft -f
table ip filter {
set blacklist {
type ipv4_addr
flags interval
elements = {
192.0.2.0/24,
192.0.2.1
}
# auto-merge # uncomment this to fix in Buster
}
}
