drop nftables ruleset dump + journal · parse rule diff · runs locally
before/after ruleset dumps · /etc/nftables.conf · journalctl nft/firewalld lines · compare baseline vs suspect
heuristic screener · multi-table rulesets use line-level diff not full semantic equivalence · not definitive proof