UCI Firewall option masq_allow_invalid seems to be ignored by fw4.
The nft ruleset doesn't change when the option is enabled and packets are leaked, regardless of the setting.
AFAIK, nft accepts "ct state" (with a space), not "ctstate".
root@OpenWrt:~# service firewall restart
/dev/stdin:120:36-42: Error: No symbol type information
meta nfproto ipv4 oifname "eth1" ctstate invalid counter drop comment "!fw4: Prevent NAT leakage"
^^^^^^^
The rendered ruleset contains errors, not doing firewall restart.
Fixing accordingly zone-drop-invalid.uc the leakage disappears.
Thank you.