Mixing declarative and imperative syntax is supported by recent nftables versions, but is known to be broken in older releases. This affects the nftables version currently provided by Osmocom for Debian 12 (bookworm): 1.0.6.3~osmocom.429.7d98.
As a result, the generated ruleset ends up accepting all packets rather than only udp/2152 as intended. Consequently, the nftables counters do not reflect GTP-U traffic alone, but also include signalling traffic.
Let's work this around by adding the udp/2152 filtering rules separately using the imperative syntax. Split the logic for adding a chain into a separate function to avoid code duplication.
