Yes, when I wrote "It works" - it means "no error has been throwed".
Perhaps, it would be better to implement something like "... ip daddr . ip protocol . protocol dport @xyz ..."
As workaround we can use (in most cases it is the preferable way):
"... ip daddr . tcp dport @xyz_tcp ..."
"... ip daddr . udp dport @xyz_udp ..."
But because DNS has TCP extension for big answers - we should repeat same rules ("1.2.3.4 . 53") in both sets.
It is really funny: you can create a set with concatenated ip:proto:port, but you can not use it :)
Vladimir Khailenko
