The firewall::service class and subsequent nftables::service supports various parameters to allow specific source/destination ports and IPs.
For the work in T300152 it would be useful to also support ACLs based on the source interface.
In the meantime the workaround is to use nftables::file::input but this is more brittle.