Fixed: prevents QoS automation from breaking Docker networking by avoiding nftables service reload/flush workflows.
Fixed: nft ctmark→fwmark apply is now idempotent; repeated runs no longer create duplicate rules.
Added: vff-qos-nft.service oneshot unit to restore runtime rules after reboot.
Improved: optional self-heal: script keeps exactly one rule per chain and removes duplicates automatically.
Notes: If duplicates were already present, run nft delete table inet vff_qos_ctmark once (or restart vff-qos-nft.service) to reset.