The FirewallD has lacked proper support for “router” (until current version in el8 and el9). Hence insufficient for “real work”.
The ‘ether’ match should allow “by MAC” filtering: Quick reference-nftables in 10 minutes - nftables wiki
Yes, my other thought was to classify the packets by using --set-mark in the MANGLE table based on the MAC address, and then do filtering based on that class mark.
But, this has become off-topic for this thread. I’ll start a new topic if I run into issues with the firewall and routing.
Thanks to all who helped me with this.