nftables: reorder rule for rejecting SSH via anycast

nftables/nftables-ns2.conf

@@ -44,11 +44,11 @@ table inet filter {
         # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
+        udp dport 53 notrack accept
+
         # reject SSH packets via anycast IP
         tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
 
-        udp dport 53 notrack accept
-
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept