The SYN-flood protection is incomplete, only the rule in the input hook is activated, but the forward hook is forgotten. It is better to place the rule in the prerouting hook so that it covers all devices. You could also activate additional attack types in the ingress hook that should be very fast. Something like this:
nft -f - <<TABLE
table netdev filter {
chain ingress {
type filter hook ingress devices = { eth0, Wg0 } priority -500;
tcp flags syn / fin,syn,rst,ack counter drop
# IP FRAGMENTS
ip frag-off & 0x1fff != 0 counter drop
# IP BOGONS
# From <https://www.team-cymru.com/bogon-reference.html>.
ip saddr { \
0.0.0.0/8, \
10.0.0.0/8, \
100.64.0.0/10, \
127.0.0.0/8, \
169.254.0.0/16, \
172.16.0.0/12, \
192.0.0.0/24, \
192.0.2.0/24, \
192.168.0.0/16, \
198.18.0.0/15, \
198.51.100.0/24, \
203.0.113.0/24, \
224.0.0.0/3 \
} \
counter drop
# TCP XMAS
tcp flags & (fin|psh|urg) == fin|psh|urg counter drop
# TCP NULL
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# TCP MSS
tcp flags syn \
tcp option maxseg size 1-535 \
counter drop
}
}