Andrew

That is what i do, i really dont understand why defaults are not your/my way that per-rule setting would override zone setting.

It is described only as source code or resulting ruleset, but not checking the resulting ruleset creates exposure of vulnerability you have in your ssh.

previous fw3 orders rules same way, it is counter intuitive since inception.

Would it help to have warning that there are no-interface rules preceding specific rule? Similar to one listing rejected invalid rule.

Actually it makes a lot of sense optimizing max chain length... ``` accept established global rule iif lan goto lan iif wan goto wan drop/accept/reject ``` then nftablize ``` acc...

i described not so well documented syntax, vmap maps to "immediate" statements only while tail is full rule eg fallthrough log or counter

Related - restore lost options https://github.com/openwrt/openwrt/pull/18895

Just that it cannot tell apart haswell from zen

You always need CPUID bits. https://en.wikipedia.org/wiki/FMA_instruction_set#CPUs_with_FMA4