NFT rule source addresses don't seem to take into account the first address in a subnet

[t-aleksander]

When the source address is defined as e.g. 10.123.1.4/30 the first address in the subnet 10.123.1.4 is reported to be still blocked despite being in the allow list.

Update:
The issue seems to arise from the inclusion of two subnets right next to each other, eg. 10.123.1.4/30 and 10.123.1.8/30. Singular subnets or multiple subnets that are not adjacent in a single rule work fine. This seems to be a quirk of the nftables subsystem. One solution would be to merge the adjacent subnets into a single address range, just like the nft CLI tool does it.

[gstorme]

I have a similar issue, could be related.
My user has a desktop & mobile device, respectively having IP 10.99.0.3 and 10.99.0.4.
With an ACL rule allowing it for all users, this rule is created:

ip saddr { 10.99.0.2/31, 10.99.0.4/31, 10.99.0.7, 10.99.0.8/31 } ip daddr { 192.168.1.0/24, 192.168.3.0/24 } counter packets 0 bytes 0 accept comment "ACL 138 - office ALLOW"

I can reach the destinations from the desktop device, but not from the mobile device.
When I change the ACL rule so it only applies to my user, the sources in the rule gets changed into:

ip saddr { 10.99.0.3-10.99.0.4 } ip daddr { 192.168.1.0/24, 192.168.3.0/24 } counter packets 29 bytes 2027 accept comment "ACL 137 - office ALLOW"

With this, I can reach the destinations from both devices.

[teon]

@gstorme thank you! @t-aleksander reproduced the issue and should do a patch gateway release beginning next week.