In some circumstances, per-interface rulesets are undesirable. Having a single ruleset applied to all traffic traversing the firewall makes much more sense in some cases. This is especially the case with large numbers of interfaces (10+), common in VLAN environments. It also eliminates the problem now in such environments where the tabs run way off the screen.
The default would remain per-interface rules, because that way makes more sense for most users. There would be an option to switch from per-interface to single ruleset, and vice versa.
Rules would have to be generated differently in the back end for a single ruleset, since we now use interfaces on rules.
Antispoofing may need modification as well.
We need to include logic to allow switching between ruleset types.
Rules on each interface would need to be converted if the source is any. Those rules would have the source network 'any' replaced with the subnets on that interface.
This is more difficult. It would probably make the most sense to force the user to manually choose which interface to use for each rule. Something like the following screen after you switch from single to per-interface.