If it has not been made clear - if you dont wanna use the combined Any Zone (your post isn't clear what issue you're having - if I recall from another thread, it was a security issue to a zone named "IoT" that you failed to show in the configs), then yes, create 2 rules.
I realized something while drafting a post to ask one important thing:
Can anyone confirm underlying nft could declare the two DST zones?
This is what I realized in the following sentence and then seeing a zone "private":
There's other zones the OP fails to mention.
Next, the OP goes on to say:
@krazeh - I couldn't zoom that screenshot, so I didn't see - it's quite important.
Why?
The two rules the OP list can be made in the default zone rules:
OP edits LAN zone - unchecks all "Allow forward to destination zones" zones listed
the any zone to any zone rule? - there shouldn't be interfaces with undeclared zones; but changing the General forward option to Drop or Reject solves this
lastly, this "example" isn't the config the OP first begins to describe
This is why I'm unsure of the issue the OP's truly having.
I think he means to define multiple source or multiple destination in a single firewall rule. For example, in the first screenshot, it'd be "Private", "Guest" and "lan" to "this device" as a single rule instead of three separate ones. Same with the forwarding rules, all are copies of each other. That's why he wants it simplified to a two rules.
At least, I see value in this interpretation anyhow, will make it far easier to deal with rules that apply to multiple zones.
Yes indeed you interpret correctly, which is why I note something needed to do so in LuCI/fw4:
Now one issues arises - the OP's reasons why:
The OP doesn't need any of the 2 rules in the screenshot that "solved" the issue. And as you clearly note, that's not what the OP described.
As you might observe, quite a few rules screenshotted are either redundant, or can be configured as default zone rules. Lastly, deducing from that, I also see input rules shown. It's really unclear what OP means by "multiple".
Now, now, let's ignore OP's failings. Focusing on that won't help anything.
I've not used nft myself, only the high-level tools. But even if nft doesn't support multiple zone declaration, could fw4 realistically accept multiple zone definitions, but in the backend do the same thing it's already doing now. Or would that be far too complicated?
At least for now, every overlying rule written in UCI syntax, matches a line in iptables (fw3) or nft (fw4) syntax.
Otherwise, this would break that dynamic. Not to mention the "failings" - but it's already been made clear the rule isn't needed to reduce the amount of configs the OP noted [to resolve the issue]. You can configure a device not to forward anywhere in its default zone rule. Obviously, you need some allow rule that would come before the default. We need to make sure that the OP doesn't think some "logic truncation" is occurring on the firewall rules - they're not processed that way.
To my understanding (at least in fw3) - firewall a e.g. 443/tcp rule to allow in additions to another zone, it would also require an additional rule for the 2nd zone.
