Tested with

{
  "type": "ptp",
  "ipMasq": true,
  "ipMasqBackend": "nftables",
  "ipam": {
    "type": "host-local",
    "ranges": [
      [{"subnet": "198.18.0.0/17"}],
      [{"subnet": "fd61:7465:6d65:1000::/112"}]
    ],
    "routes": [
      { "dst": "0.0.0.0/0" },
      { "dst": "198.18.128.0/17" },
      { "dst": "198.19.254.254/32" },
      { "dst": "::/0" },
      { "dst": "fd61:7465:6d65:2000::/112" },
      { "dst": "fd61:7465:6d65:ffff::/128" }
    ]
  }
},

@danwinship if you can review this one

I kept SetupIPMasqForNetwork (without the s) but it's broken for nftables if you call it in loop, so might be better to just break the API and get rid of it, as it was just released in 1.6.0.

I don't like keeping the broken function, but I don't know what @squeed will think about removing it, API-compatibility-wise.

It's also possible to avoid needing a new function, by including the CIDR in the comment hash so each one will get a different comment.

needs a unit test that fails with the old code and passes with the new code

I kept SetupIPMasqForNetwork (without the s) but it's broken for nftables if you call it in loop, so might be better to just break the API and get rid of it, as it was just released in 1.6.0.

I don't like keeping the broken function, but I don't know what @squeed will think about removing it, API-compatibility-wise.

It's also possible to avoid needing a new function, by including the CIDR in the comment hash so each one will get a different comment.

Right now teardownIPMasqNFTablesWithInterface completely ignores the IPNets and clean everything, which makes a lot of sense to me

needs a unit test that fails with the old code and passes with the new code

will do

OK, Casey says containernetworking/plugins has no API guarantees, so you can just drop the old function.

But you should still add a unit test

@danwinship unit test modified to test the fix (and more exotic setup), we should be good to go

@squeed this one should be ready to merge too