We get a surprising number of ipset failures from the netban.net module. Despite using a netaddr set to track the ban space, it seems like we're trying to double-add or double-remove ranges a lot. Something must be wrong with our set operations.
I haven't noticed this as much since switching to nftables instead of old ipset sets. Not ready to close this without more investigation, but this may be fixed.
We get a surprising number of ipset failures from the netban.net module. Despite using a netaddr set to track the ban space, it seems like we're trying to double-add or double-remove ranges a lot. Something must be wrong with our set operations.