Allow use of `option src '!wan'`

[brianjmurrell]

Being able to create a rule with option src '!wan' (for example -- the zone could be anything, or even a comma separated list of zones, or maybe a proper uci list list) is powerful and sorely missing.

The lack of it ends up causing the situation where the user has to create (and maintain!) potentially many (many even!) duplicate rules for each zone on the router, and has to continue to replicate those rules as new zones are added.

Even if this is limitation due to nft not allowing negative zone rules, the heavy lifting of creating a(n nft) rule for every zone not in the exclude list should be done by firewall4. This is the sort of thing that computers are really (really!) good at and that humans really suck balls at.

FWIW, and as an aside, this is just one of a number of cases I have found where lists are not allowed but they should be (again, even if it means that firewall4 creates the necessary nft rules) in order to make the /etc/config/firewall rule specification concise and not unnecessarily repetitive. Being able to keep a configuration concise and DRY is most important for security specifications such as firewall rules.

[brada4]

iptables and fw3 can negate only single interface, for time of being compatibility is being maintained and no improvement possible soon.

[brianjmurrell]

Why are we maintaining compatibility with an older major version of fw* (i.e. fw3). New major versions are all about incompatibilities (naming a new major version is entirely to indicate backward incompatible changes) and making improvements and not being held back by older implementations.

How long are we going to be shackled to fw3 like this? fw4 has been available for some number of OpenWRT releases now, hasn't it? At some point we have to break compatibility to make forward progress.