i've migrated some fw code to nftables, and am cleaning up my sources -- at this point, for my own readability. i've managed to so far miss any clear writeups on such housekeeping, so using some trial-n-error :-/ when involving marks in nat/mangle chains, what's valid, or not, is a bit fuzzy. in this sample script cat tmp.nft #!/usr/sbin/nft -f define VPN = "A" define LAN = "B" define SVR1 = "1.1.1.1" define SVR2 = "2.2.2.2" table nat { chain prerouting { type nat hook prerouting priority -150; policy accept; # SET1 meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 udp dport 53 meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 tcp dport 53 meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 udp dport 25 meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport 465 # SET2 (This seem a bit tortured, but it's fewer lines ...) meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53 meta mark set 0x02 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport { 25, 465 } # SET3 meta mark set 0x02 { 24 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53 25 meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR2 tcp dport { 25, 465 } 26 } 27 28 } 29 } rule group "SETs" 1, 2 & 3 are _intended_ to be functionally equivalent, but simply increasingly "grouped" for convenience/readability (yes, arguable!) testing, SET1 & SET2 seem OK, but SET3 is clearly unhappy, nft -c -f tmp.nft tmp.nft:24:4-7: Error: syntax error, unexpected meta meta iifname "$VPN" meta oifname "$LAN" ip daddr $SVR1 meta l4proto {tcp, udp} th dport 53 ^^^^ tmp.nft:29:1-1: Error: syntax error, unexpected '}' } ^ what's specifically DISallowed in my SET3 syntax usage? what'd be the 'most grouped' that SET can validly be?