Why does the 'nomatch' option of ipset not work in this case?

Question

I am using ipset 6.23-2 on Debian Jessie. I created a hash:net set for and an iptables rule to drop all traffic for addresses in the set.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set Example-Set src

I used to the 'nomatch' option to add the network of my internal servers to it. I assumed it would work like an exclude so it's basically fool-proof and I don't accidentally lock myself out of my servers (or one of my colleagues).

Name: Example-Set
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 3424
References: 1
Members:
10.50.7.0/24 nomatch comment "# 2017-09-14"

Yet it still matches when I add a specific IP like inside of the subnet e.g. 10.50.7.30 to the set and drops all traffic from that ip.

Name: Example-Set
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 3424
References: 1
Members:
10.50.7.0/24 nomatch comment "# 2017-09-14"
10.50.7.21 comment "# 2017-09-14"

I assume I am wrong about the way 'nomatch' works?

Does it only work for excluding smaller subnets from a bigger one?

Is there anyway to solve this without creating additonal sets?

Answer 1

The ipset documentation says the following (1):

From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set.

So, it is starting out looking for the individual host and matching on that, because the host is the smaller netblock than the subnet.

1 - http://ipset.netfilter.org/ipset.man.html