I can't look at my rules right now but IIRC I think I have brackets and greater than signs escaped.
Maybe that's a hangover from my previous incantations in the ash shell though and I don't actually need to do that.
EDIT: I just checked and it does indeed look like those characters don't need to be escaped 
Some interesting statements in your reply - blame me for cherry picking, but I couldn't stand my hand not replying to them (considering them false assumptions).
You mean the new stupid, overcomplicated, incomplete and usability (user/shell) unfriendly way of doing things ? If yes, I feel you then.
Never heard of that, not even the nftables developers are expressing such statements, but more highlighting the improvements and efficiency in the kernel ABI and userspace API. Although, given my concrete experience now with the performance impact, I'm not sure about all these "improvements".
Right, and that will help in what marginal case? The average Joe, not specialized (not a guru) in networking, with a simple (and nowadays crucial/necessary) firewall requirement will really appreciate that.
Very good, in iptables you were not able to mark packets and then treat the flows (which are the main focus/concern) accordingly with tc ... specialized toot for specialized purpose. This looks to me like a solution for an nonexistent problem.
Well, I did that and it didn't work. Coming back to the many tables and no f... clue where the packets were filtered (which rules from which table were hit).
I don't know about "most" as I'm a Slackware user and Slackware doesn't teach (impose) the user what to do/use/choose. Never did, never will. Actually the firewall script provided is not even executable and empty.
Nor do I care for the most/popular distros, as I don't really regard them anymore as Linuxes (obviously they are, at least based on standard Linux kernel, libs and tools), but a mess of Redmond-like automations/helper scripts/abstractions/apt-get/apt-dont-get that I have to fight and tame in order to achieve simplicity and flexibility. I don't necessarily advocate Slackware either, it's a royal PITA if you don't know Linux (because it's Linux (tools) in its "purest" form - design philosophy is on Wikipedia). Nevertheless, I understand/appreciate/respect that some popular distros like Debilan/Ubuntu are easier to use especially for devs looking for a simple (to update/maintain) build environment.
Having said all that, I understand that there are some improvements/extensions in the architecture and usability compared with iptables and it's expected to be like that given it's an evolution. Well, I still regard it as a regression in all its extent.
But then, I see this nftables thing mainly as incomplete work and therefore I cannot appreciate/respect it, not impressed. Furthermore, in my objective and concrete analysis (and shocking experience) I was criticizing mainly the syntax, which I regard as inconsistent (brackets, curly brackets, pipes and commas for series separations, etc.), counterintuitive to some extent (no clear highlighting of chains networks/IPs, switches for easy inspection/parsing and understanding of rules blocks), inefficient (too many words - poetry?), that unformatted zig-zag output of nft list is just plain f... stupid and finally the hurdle to delete a rule was the last drop for me (might need some AI help to parse the ruleset and identify the targeted line....).
I asked myself why the properly documented/well known/well designed iptables syntax was not adopted (extended with new features/flags/directives too - borrow the already available source code) and I fear that the nftables devs, out of exuberance/lack of (sysadmin/networking) field experience, dev (coding) minded approach and a potential lack of proper project/architectural management (inconsistency in the syntax development) produced the actual abomination. Might be exciting to adopt this abomination for other devs (coding minded) or script kiddies, having plenty of time to kill with curly brackets in advanced editors, but not for normal("mortal") sys/net admins. Nothing to feel enlightened about the repulsiveness and ambiguity of the actual usability,
And there's another worrisome point - I said I had my own pretty long learning curve with iptables, given it wasn't properly documented, not much discussions and forums (decades ago), but it was an easier life back then. There were not that many automated attacks/scans/botnets/exploits/ IoT spyware...etc at that time, so a mistake was "tolerated", nowadays is more "catastrophical". Now, in these very "nasty" times you come with some utterly dumb and overly complicated pile of ... unfinished work and impose it over the poor little f**ker/user, expect her/him to learn it fast and use it correctly. Get real, would you?
One last point, I'd focus on the scope of OpenWrt as a customized, limited in flexibility (not a full fledged Linux) and dedicated OS for routing, designed for running on mainly very limited HW capabilities and used by "consumer-level" average Joe, who's neither a dev nor a script kiddie. This average Joe, one might argue, could use the LuCi provided forms for traffic filtering (or even write uci blocks in /etc/config/firewall) and I agree with that to some extent, at least for a few simple port forwarding and filtering rules. But once you have a dozen of those, you loose oversight in that UI/uci representation and it becomes painful/time consuming to clicky-clicky in LuCi or edit the firewall file and scroll/add/delete rules ... in vi.
While iptables is around (apparently developed) and not EOL, I prefer to stick with it. Thank you very much.
I rest my case.
Linux added nftables a decade ago with Linux kernel version 3.13. Nothing hasty or rushed about it. Developed by the same team that did iptables but with an eye to the future - performance and reduction in code complexity/duplication among the goals.
Slagging nftables because you are struggling with it is poor form.
Added as work in progress and not imposed, and you should do some more research about the "same" team.
Not slagging, but objectively criticizing it, not struggling but rather avoiding an unnecessary PITA affecting both my efficiency and effectiveness.
And in the end caring (maybe too much) and not writing superficial rubbish and personal attacks like you do over here.
If nftables is really so bad then how can we make sense of it having replaced iptables as the default framework (and not just in respect of OpenWrt)? Hype can only go so far, right?
Where and since when did it replace iptables? If you mean Debilan and Ubuntu, well, those were always "the new kids on the block" showing off with the latest and greatest, soon competing with Redmond in feature richness and ease of use (my opinion).
I wouldn't compare OpenWrt with those distros, just no sense at all.
Don't see any hype but a rush decision and I was wondering myself already 1 year ago why OpenWrt enforced this unfinished mess in at that time some release candidate - see:
But then again, I closed this thread myself and am tired of arguing objectively with subjectively minded folks on subjective impressions and beliefs. I was originally addressing the devs with a simple question/request.
How is this a simple question /request?
Just noticed you're not a developer but an OpenWrt user since 2019, thus not sure how you represent the developers.
And to clear out your confusion, this is a quote from my OP (simplified, code base for OpenWrt 21.x.x. is still available and security patches could be applied/backported):
Im not claiming to represent anybody, i was merely surprised why you would classify this as "simple". I for sure do not, same as a lot of people, even so called "developers".
But do note that I am maintaining a luci app. Guess in your book that means im just a user.
To be honest you have really misunderstood this opensource OpenWrt project. Any one with a Git hub login can be a developer if they want to and it will help (obviously) if they know how to write actual code.
But what we lack in numbers are testers and reviewers, they are just as important as “the developers”. But if I get to decide they all are developers. We also have all people writing in the wiki and here at the forum.
I have made the D-Link DGS-1210-10MP and I have helpt in octeon/Edgerouter4 development so I am a developer.
But one thing I notice in everything you say is that you simply always want to do everything in the hardest way possible whatever you do, and you really doesn’t want help or support. And I will definitely not stand in your way of doing this extra work when you really want to do it in your way.
But I can definitely guarantee you that nftables wont be dropped for iptables in a long time just to help your setup.
But you did, I was addressing the question directly to the devs. And again you try to represent "a lot of people".
I was looking at your profile and noticed you're a user and not a dev - should change it.
Writing what I think does not mean I represent everybody. Representing means speaking for them. What I merely did summarize what I read and voiced my opinion. Represent typically also needs an endorsement, which I do not have.
So to make it clear:
What I write are my own views, i do not present anybody nor do I want to.
My advice to you, fork OpenWrt and maintain the iptables support in future versions yourself. Reading your experience you should have no trouble with that whatsoever (and to make it clear that is my opinion, I am not trying to represent you). Sticking to version 21.xx in the long run is a bad idea.
Thank you and have a nice day.
Well, that's the thing I don't think I did, quite the opposite, I was referring already to the scope of OpenWrt, as far as I understood it:
I still remember the "schism" with LEDE (Linux Embedded Development Environment) and was realizing myself that time that you can't just develop a lot of computing hungry complexity on a rather limited HW. Because the HW in these "common" affordable (~50-80EUR - worth buying) routers is so bad (processing/storage/memory) that it barely can handle basic networking stuff/services at full advertised speed/throughput.
It's also that time I stripped OpenWrt (first the VPNs) of any additional services. Kept it as a first stage firewall and basic (Internet)networking services (fwknop, DynDNS & such) and migrated the more complex/hungry services inside the LAN (after the router) on proper HW and proper (fully functional) Linux. For instance, my actual "internal" iptables firewall has around 1000 rules and a very negligible performance/latency impact (Dell WYSE thin client - quad core celeron + 8 GB DDR4 + 128 GB SSD - 65EUR as SH).
Now, one need some proper architectural (sizing/scope) considerations (and experience) when designing a networking/services systems solution and not just blindly adding more and more services on a very limited router ... and expecting wonders. In some other post a user showed off with an adaptation of a rather complex access & firewall control for OpenWrt, which is laudable as effort. But I said to myself, why on earth would I run such a complex mess on a very limited HW instead of dedicating and linking (forwarding to it) a proper HW/OS for it?
Thus, what's the actual developing goal of OpenWrt? What's the actual predominant user base (can be easily learned from the images download statistics)? If it's still dedicated to the initial/inception goals ("WRT") to provide a better alternative to the stock FW for routers, then it should be acted accordingly with the development, defining some limits. If it's a "universal" routing and networking solution, well, then good luck with that! Worth mentioning that there are already established distros doing the same (competition) that unlike OpenWrt are based on fully functional (not stripped down packages and tools) Linuxes. Plus, I do believe that users will choose themselves the distro they're more familiar with (I'll definitely use Slackware).
Well, I find it quite a false accusation (got used with these already in this thread) blaming me, a long time Slackware user, Slackware relying fundamentally on the KISS principle, criticizing nftables for its useless complexity in both design and syntax, the complexity in adopting it (as scripted ruleset) in OpenWrt, for looking to "do everything in the hardest way possible" 
What help and support should I require? I didn't even ask for such, instead I was describing in full details, helping other potential users, my first nftables custom script implementation. Rather successful one i might add, that's if omitting the ~50% throughput drop ...
I'm pretty sure nftables will be around, it's been around since 2008 and I'm still wondering what was done to it in all these (many) years, given the actual unfinished and horrifying pile of ... state. I hope too that further development will be done, so that it might become something worth considering - a finished product,so to say.
Thank you for the clarifications, much appreciate them. You should maybe remember these "rules" for your further posts 
Thank you also for your advice, I did consider it at some point last year, but then after a simple cost-benefit analysis, I found it worthless and I do have other alternatives. But these mean ditching the use of OpenWrt unfortunately...
I definitely agree with you here, we have these cases coming around from time to time on the forum.
The problem always comes when the router are going to start doing data processing instead of data movement to more dedicated data processing devices. And this problem also grows exponentially with the internet speed people have now and in the future.
And with the introduction of Realtek switches and some business class access points (devices that have a cpu to run a webb admin page) they always crash and burn just by turning on a firewall and start doing wan connected routing at Gbit speeds.
This has been looked at already mostly for the question what devices are dead ends and no one actually uses it.
But the data is inconclusive at best. We can see specific downloads from the download page for sure.
What we can’t see or measure is actual installs or usage.
And we definitely can’t measure how many that download and build from source code.
Most advanced users actually use the image builder or source code directly.
And than we always have 1 or 2 users of the whole worlds population that still run ver.1 of Linksys WRT54G.
If you ask me, internet has become so big and fast over the last 20years so we can’t in the long run keep supporting devices that have no hardware to survive real life usage. The ToH simply will get to big and fail because no one can admin it sooner or later.
But we have a safety valve for target support, and that is the growing memory demands of the kernel simply wipes the support of EOL devices that doesn’t work in real world internet demands anyway.
While the moderators were asleep, understandably during weekend, I took the initiative (and my right) to fight back personal false accusations (call them attacks) from some users and indeed I stepped over my last "ending" argument/post.
And just out of respect I did also reply to flygarn12, who was one of the few more knowledgeable and interested in the subject.
However, I didn't take offense to your false accusation, considering that maybe you're affected by functional illiteracy (specifically able to read but not having the necessary background to also understand what you read) and unable to understand what trolling means, falsely identifying myself as such.
For lack of better reference, please have a look at Wiki:
"
In slang, a troll is a person who posts or makes inflammatory, insincere, digressive,[1] extraneous, or off-topic messages online (such as in social media, a newsgroup, a forum, a chat room, an online video game) or in real life, with the intent of provoking others into displaying emotional responses,[2] or manipulating others' perception, thus acting as a bully or a provocateur.
...
Application of the term troll is subjective. Some readers may characterize a post as trolling, while others may regard the same post as a legitimate contribution to the discussion, even if controversial.
...
At times, the word is incorrectly used to refer to anyone with controversial, or differing, opinions
"
Do ask for assistance if unable to understand the definition. No shame to be functional illiterate, the last report I read about Europe (EU) was estimating that more than 40% of the population are affected by functional illiteracy...
Thanks for the reply and consideration, In the post you replied to I was maybe too vaguely defining what i meant with limitations:
I focused solely on the switch from iptabels to nftables and the substantial performance impact. As presented above in one of the earlier posts, on the same HW the rather simplistic iptables ruleset (just simple drop filters and forward allowance ones, no fancy user-defined chains & co) costs around 5% throughput loss and the same ruleset translated to nftables costs ~ 50% throughput drop.
Thus, a new firewalling substitute was adopted that kills half of the throughput.
This thread is now veering way off topic so it will be closed.
I would like to remind everyone about the community guidelines -- please keep it civil, keep it on topic, and keep the conversation moving forward. There are many posts here that do not adhere to our guidelines and I would urge the authors of said posts to consider editing the content to keep them on point. Thank you.