The port forwards themselves can only match a single IP(-range). I'd prefer not to create 20 duplicate rules to implement this.
So I though I'll just create an unrestricted port forward and add restrictions using traffic rules. Unfortunately, fw4's nftable rules accept all forwarded traffic using ct status dnat accept
and I don't see any way to disable that behavior.
I also don't see a way to create negated traffic rules like "if IP != X: drop".
Do you see any way to create this seemingly trivial configuration?