pub fn render_ruleset(subnets: &[SubnetFirewall]) -> StringExpand description
Render the complete nft ruleset for a set of subnets. Deterministic (subnets and rules emitted in the order given; the caller sorts for stability) so the output can be diffed and unit-tested.
Model: a single forward chain, default-accept, that for every instance
emits its allow rules followed by a default-deny to that instance’s IP.
Established/related traffic is accepted up front so security groups behave
statefully, like AWS. NACL deny rules are emitted per subnet before the
per-instance rules (stateless, subnet-wide).