6. And apparently the flag interval only works with a table inet family, not the ip family, unless there is something else going on (e.g., maybe I need to delete the set explicitly before changing the flag).
The flag interval works for sets in the ip family. It was not working for me because I had an existing definition of the set that did not include the flag. When I deleted the existing definition I was then able to create the set in the ip family with the "interval" flag.
I believe the problem is that you can't redefine the set attributes once the set is created. AFAIK this is also undocumented.
In experiments, I found that doing 'nft -f ban', where ban was a file with the definition of the ban set using curly brace syntax, would add elements to the set, but it did not remove them. That is, if the original set is {a, b, c} and the revised ban file has {b, c, d}, running nft on it results in a set with {a, b, c, d} even though a is not present in the second version.
I think I finally have everything working, and there is no longer any noticeable delay bringing up the network interface, despite the ban set having over 12k elements. The old approach, which invoked iptables separately for each address added, was over 3 minutes for ~10k elements. In fairness, I think iptables had a set option; I wasn't using it.
So I like the performance, just not the documentation or failure behavior :)
Ross