For context, we are detecting nefarious IP ranges/CIDR blocks by parsing the live logs of various services (eg nginx, apache etc) using the crowdsec agent. After the agent detects a nefarious IP range, we want to block the range using nftables. To do this we tried adding IP range to a nftables set, with appropriate rules in place. The problem we are facing is when the agent detects IP ranges which overlap. In such cases, nftables rejects the newer overlapping range. Even if the previous range is smaller. We tried using the "auto-merge" flag for the set but it doesn't solve the problem because only ranges present in the same transaction/command are auto-merged. Also we want to provide users an option to delete a range. But this won't be possible if this range was merged to some other range by nftables. So how do we add IP ranges in a nftables set which are potentially overlapping and have a way to delete the originally provided ranges ?
